McAfee & Taft Healthcare Industry Alert: New HIPAA regulations - Begin your compliance review now

by McAfee & Taft

On January 17, 2013, the Department of Health and Human Services issued a final rule amending the Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations and implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act (the “Omnibus Rule”). Below is a summary of significant provisions and changes.

The compliance date is September 23, 2013

Covered entities (health plans, health care providers, and health care clearinghouses) and their business associates have until September 23, 2013, to become compliant with the Omnibus Rule.

Breach notification provisions have changed

An impermissible acquisition, access, use or disclosure of unsecured protected health information (PHI) will be presumed to be a reportable breach (to the individual, government, and in some cases, the media), unless the covered entity demonstrates there is a low probability that the PHI has been compromised. Under the current rule, a breach is reportable only if the use or disclosure poses a “significant risk of financial, reputational or other harm to the individual.” To demonstrate a low probability of harm, the covered entity must do a risk assessment and evaluate these factors:

  1. Nature and extent of PHI involved;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

A covered entity can choose to automatically report without doing a risk assessment.

Encryption is still golden

If PHI data is encrypted, it is considered secure. If a security breach occurs involving encrypted PHI, the breach is NOT reportable.

Substantial changes related to business associates and subcontractors

  • Business associates are separately and directly liable for violations of HIPAA. Business associates must comply with certain provisions of the HIPAA privacy and security rules.
  • Business associates will now include any party that creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA on behalf of a covered entity (or organized health care arrangement), in addition to parties that provide legal, accounting, consulting, actuarial and certain other identified services to or for the covered entity.
  • Business associates expanded to include health information organizations, e-prescribing gateways, other providers of data transmission services, vendors of personal health records, and subcontractors.
  • If a business associate discloses PHI to a subcontractor, the business associate must have a business associate agreement with the subcontractor satisfying the requirements under the Omnibus Rule.
  • All downstream subcontractors who use or disclose PHI are also business associates and must have business associate agreements in place.
  • Current business associate agreements will likely require revision to include additional provisions related to: reporting breaches to the covered entity; directly complying with HIPAA provisions applicable to duties; and complying with the HIPAA security rule with respect to electronic PHI.
  • Currently compliant business associate agreements are grandfathered for an additional year, unless renewed or modified. Covered entities and business associates may continue to operate under an existing business associate agreement until September 22, 2014, as long as
    1. The current agreement is fully compliant under the current HIPAA regulations, and
    2. The agreement is not amended or renewed between March 26, 2013, and September 22, 2013.

If it is amended during that time, the new or amended agreement must comply with the Omnibus Rule provisions. If the existing agreement automatically renews without any changes, it qualifies for grandfathering.

Additional rights for individuals

If an individual requests a copy of his/her PHI, the Omnibus Rule requires a covered entity to provide it in the form or format requested. If not readily producible and maintained electronically, a covered entity must provide it to the individual in electronic format. Under the current rule, if not readily producible, a covered entity may provide it in hard copy format.

Also, an individual may request a covered entity provide an electronic copy of his/her PHI to a third party as long as the request is in writing (email is okay) and identifies the contact name and address of the third party. As long as the individual is making a request related to his/her own PHI (under the right to access), written authorization is not required.

Right to restrict PHI for out-of-pocket paid health care

A covered entity must agree to an individual’s request to restrict disclosures to a health plan for payment or health care operation purposes if the individual paid for the item or service out-of-pocket and in full.

Changes to the Notice of Privacy Practices

The covered entity’s Notice of Privacy Practices must include a statement that the covered entity has a duty to notify affected individuals of a breach of unsecured PHI and a statement that the covered entity cannot refuse a request to withhold information from a health plan when the individual pays in full for the item or service. If applicable, these statements must be included as well:

  1. The covered entity may contact individuals for fundraising and the individual’s right to opt out of receiving fundraising communications; and
  2. Health plans are prohibited from using and disclosing genetic information for underwriting purposes (except for long-term care insurance).

Increased enforcement by the Office for Civil Rights

Under the Omnibus Rule, the Office for Civil Rights (OCR) will investigate a complaint if a preliminary investigation indicates a possible violation due to “willful neglect,” and will impose penalties on all violations due to willful neglect. “Willful neglect” is conscious, intentional failure or reckless indifference to an obligation under HIPAA. Under the current rule, the OCR has discretion to conduct an investigation under these circumstances. Further, the Omnibus Rule requires the OCR to conduct a compliance review of a covered entity if a HIPAA violation is brought to its attention from “other than a formal complaint,” which includes a report from the media, state agency or other federal agency. Currently, the OCR attempts to informally resolve violations (such as allowing the covered entity to demonstrate compliance or implement a corrective action plan) prior to imposing penalties; the Omnibus Rule leaves it to the OCR’s discretion on whether to resolve a complaint informally. The OCR may move directly to a civil monetary penalty without exhausting informal resolution efforts.

Expansion of “marketing” and requirement for authorizations

If the marketing activity involves direct or indirect payment to the covered entity from a third party whose product or service is being marketed, authorization is required even for certain treatment and health care operation purposes currently within the definition of “marketing.”>

The sale of PHI requires a covered entity to obtain an individual’s written authorization

The Omnibus Rule tightens the definition of the sale of PHI, but does provide several exceptions, including sale of a covered entity and related due diligence, business associate activities, and treatment and payment purposes.

Clarification that genetic information is health information and subject to HIPAA

Additionally, health plans (other than long-term care plans) may not use or disclose genetic information for underwriting purposes.

Covered entities may release immunization records

Covered entities may release student immunization records to schools without a signed authorization if state law requires the school to have the immunization record and the student (or parent or guardian) agrees orally or in writing (email is sufficient). 

Easier access to a decedent’s PHI

If an individual is deceased, a covered entity may disclose PHI to a family member or other persons involved in the individual’s care or payment for health care prior to death, as long as the PHI is relevant to such person’s involvement and provided that it is not inconsistent with known preferences of the individual. Under the current rule, only a personal representative (as determined by state law) may obtain a decedent’s PHI. Also, a decedent’s health information is not PHI if the death occurred over 50 years ago.


  • Begin a HIPAA compliance review now
  • Evaluate all HIPAA privacy and security policies and revise as necessary, in particular policies related to:
    • Breach risk assessment and notification
    • Business associates
    • Notice of Privacy Practices
    • Marketing and fundraising
    • Sale of PHI
    • Individual’s right to access
    • Individual’s right to restrict uses and disclosures
    • Decedent’s PHI
    • Workforce sanctions for non-compliance
  • Update current business associate agreements
  • Consider whether new definition of “business associate” requires agreements with other third parties (including subcontractors)
  • Update Notice of Privacy Practices; post and distribute new Notice
  • Encrypt PHI in accordance with government guidelines to the extent possible
  • For health plans:  address the restriction on use of genetic information for underwriting
  • Educate and train staff
  • Enforce sanctions against members of your workforce who fail to comply with policies and procedures


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McAfee & Taft | Attorney Advertising

Written by:

McAfee & Taft

McAfee & Taft on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.