Significant Changes to HIPAA Effective March 26, 2013

by Miller & Martin PLLC

The following is a summary of the major changes to HIPAA under the new Final Rule:
1. Breach Notification Standard Lowered — In perhaps the most significant change under the Final Rule, the new regulations considerably alter what constitutes a breach of Protected Health Information (PHI) and wether the breach notification requirements are  triggered. Under the current HIPAA regulations, to determine whether a breach has occurred (and whether a breach notification is required), a Covered Entity or Business Associate must conduct a risk assessment to determine whether the use or disclosure of PHI in question “poses a significant risk of financial, reputational, or other harm to the individual.” Under the Final Rule, an improper use or disclosure of PHI is presumed now to be a breach unless the Covered Entity or Business Associate “demonstrates that there is a low probability that the protected health information has been compromised” through a risk assessment of at least four factors set forth in the new regulations:
(i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
(ii) The unauthorized person who used the PHI or to whom the disclosure was made.
(iii) Whether the PHI was actually acquired or viewed.
(iv) The extent to which the risk to the PHI has been mitigated.
This “presumption of breach” standard is a much lower standard than the previous “significant risk of harm” standard and is likely to lead to more breach notifications from Covered Entities and their Business Associates.
2. Expanded Definition of Business Associate — The Final Rule broadens the definition of Business Associate under HIPAA, such that HIPAA now applies to a whole new group of entities that will all need to be compliant by September 23, 2013.  The Final Rule clarifies that the following persons and entities are now Business Associates under HIPAA:
(i)  Any person or entity that provides data transmission services of PHI to a Covered Entity and requires access on a routine basis to such PHI. (Covered Entities will need to review their relationships with vendors and others who transmit PHI on their behalf and determine whether that person or entity requires access to its PHI on a routine basis. Many Covered Entities will gain an expanded list of Business Associates through this clarification of the Final Rule and will need to put Business Associate Agreements in place by the compliance date.)
(ii)  Any subcontractor of a business associate that handles PHI. (If a Business Associate subcontracts part of its function requiring access to or use of PHI to another organization, that subcontractor is now a Business Associate under HIPAA, and under the new regulations, there must be a written agreement in place between the Business Associate and its subcontractor that meets all of the requirements of a Business Associate Agreement under HIPAA.  The Final Rule also makes it clear that in this situation, it is the Business Associate who retains the subcontractor, and not the Covered Entity, that is responsible for ensuring there is a proper Business Associate Agreement in place.)
(iii)  Any entity that maintains PHI on behalf of a Covered Entity. (Under the Final Rule, a Business Associate now includes a person or entity that maintains PHI on behalf of a Covered Entity, even if that person or entity does not access or view the PHI.  If a Covered Entity uses an outside organization to store and/or maintain its PHI, it now needs to make sure it has a Business Associate Agreement in place with that vendor that meets all the requirements under HIPAA.)
3. Application of HIPAA to Business Associates — The Final Rule applies certain HIPAA privacy, security, and enforcement regulations directly to Business Associates, and provides that if a Business Associate violates any HIPAA provision that is now directly applicable to it, the Business Associate is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH.  Under the revised HIPAA regulations, Business Associates are now directly liable for:
(i)  Impermissible uses or disclosures of PHI;
(ii)  Failure to provide proper breach notification to a Covered Entity;
(iii)  Failure to provide appropriate access to an electronic copy of PHI to a Covered Entity, individual, or individual’s representative;
(iv) Failure to disclose PHI when required by HHS to investigate the Business Associate’s compliance with HIPAA;
(v)  Failure to provide an accounting of disclosures;
(vi)  Failure to comply with the applicable requirements of the Security Rule.
Perhaps most significantly, the Final Rule provides that if a Business Associate violates a provision of a Business Associate Agreement, that contractual violation is now a HIPAA violation.  The Final Rule also states that Business Associates must comply with HIPAA’s “minimum necessary” standard and only use, disclose, or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.
4. New Requirements for Business Associate Agreements — An organization’s Business Associate Agreements may need to be amended or updated to comply with the Final Rule.  Under the new regulations, Business Associate Agreements must now require that the Business Associate will do the following:
(i) Comply, where applicable, with the HIPAA Security Rule;
(ii) Report breaches of unsecured PHI to the Covered Entity as required under the breach notification rules;
(iii) Make certain that any subcontractors that create or receive PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate (there must now be a Business Associate Agreement in place between a Business Associate and its subcontractors in these circumstances); and
(iv) Comply with the requirements of the HIPAA Privacy Rule whenever the Business Associate is required to perform the Covered Entity's obligation under the Privacy Rule. Business Associate Agreements entered into prior to January 25, 2013, between Covered Entities and Business Associates (as well as Business Associates and their subcontractors) that are not renewed or modified between March 26, 2013, and September 23, 2013, and that met the requirements of HIPPA and HITECH prior to January 25, 2013, will be granted grandfathered status and deemed to continue in compliance until September 23, 2014, or the date the contract is renewed or modified, whichever occurs first. All other Business Associate Agreements must be in compliance with the new regulations by September 23, 2013.
5. New Requirements for Notice of Privacy Practices — The Final Rule requires Covered Entities to revise their Notice of Privacy Practices to include a statement that:
(i) Describes the types of uses and disclosures that require authorization under HIPAA (if the Covered Entity intends to engage in any of them);
(ii) Informs individuals that they have the right to opt out of receiving fundraising communications (if the Covered Entity uses PHI to conduct fundraising activities);
(iii) Informs individuals that they have a right to pay out-of-pocket for a service and the right to require that the Covered Entity not submit PHI to the individual’s health plan if they do so; and
(iv) Informs individuals that the Covered Entity has a duty to notify affected individuals following a breach of unsecured PHI.
6. Fundraising — The Final Rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals’ health information without their permission.   The Final Rule tightens the rules about providing individuals the opportunity to opt out of receiving future fundraising materials and requires clear instructions on how to opt-out.
7. Expanded Patient Rights — Under the Final Rule, a Covered Entity is required to abide by an individual’s request to restrict the disclosure of PHI to a health plan if the individual, or someone on behalf of the individual, has paid the Covered Entity in full.  The new regulations also provide that if an individual requests an electronic copy of their PHI, then a Covered Entity must provide access to that information in electronic form, if it is readily producible in that form. So a Covered Entity will have to produce PHI in an electronic format if it maintains records electronically (as it is considered readily producible in this circumstance).    Further,  under the Final Rule, if an individual directs a Covered Entity, in a signed writing, to electronically transmit a copy of the PHI to another person designated by that individual, then the Covered Entity must transmit the PHI electronically to that party.  Additionally, HIPAA now permits a Covered Entity only one 30-day extension to respond to a request for access. Finally, the new regulations streamline individuals’ ability to authorize the use of their health information for research purposes and make it easier for parents and others to give permission to share proof of a child’s immunization with a school.
8. Increased Flexibility with PHI of Deceased Patients — Under the Final Rule, Covered Entities are now permitted to disclose PHI to a decedent’s family members and others who were involved in the patient’s care, or payment for that care, prior to death, unless doing so would be inconsistent with any prior expressed preferences known to the Covered Entity.  This is limited to disclosing PHI that is relevant to the family member or other person’s involvement in the individual’s healthcare or payment.  Additionally, under the new HIPAA regulations, health information is no longer PHI after a patient has been dead for 50 years.
9. Civil Monetary Penalties — The Final Rule retains the increased civil monetary penalties for HIPAA violations that were set forth under the HITECH Act.  The new tiered penalty system currently applies to Covered Entities and under the Final Rule it will be applicable to Business Associates and their subcontractors.  The penalty amounts range from $100 per violation, up to a maximum penalty of $1.5 million for violations of the same HIPAA provision in a calendar year.  Penalties in the four-tiered system increase based on the level of culpability.  The lowest level of penalties ($100 to $50,000 per violation) applies to situations where the Covered Entity or Business Associate did not know about the HIPAA violation.  The highest penalty level, which starts at $50,000 per violation, applies when the Covered Entity or Business Associate demonstrated “willful neglect” in violating HIPAA, and it failed to correct the violation.
For further information about HIPAA, HITECH, or any of the changes in the Final Rule, please contact Susan Steelman, Christie Burbank, Jade Dodds or any member of Miller & Martin's Health Care Practice Group.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miller & Martin PLLC | Attorney Advertising

Written by:

Miller & Martin PLLC

Miller & Martin PLLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.