HIPAA Privacy & Security Final Regulations

Just when you thought you were done with HIPAA, the final rules get published. Now you must amend your notice of privacy practices as well as your policies and procedures (dust off the binder) and you must provide new training to staff. You have eight months in which to get your HIPAA house in order.

The final HIPAA privacy and security rule is comprised of four final rules, which have been combined.

– HIPAA Privacy, Security, and Enforcement Rules:

  1. Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
  2. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  3. Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  4. Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
  5. Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  6. Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

– HIPAA Enforcement

– Breach Notification

– Genetic Information Nondiscrimination Act (GINA) prohibiting health plans from using or disclosing genetic information for underwriting purposes

Effective Date: March 26, 2013

Compliance Date: September 23, 2013 – Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013.

Significant changes from previous versions of the regulations:

  1. General Changes
    1. PHI stored in the memory of photocopiers, fax machines and similar electronic devices must be protected like any other electronic PHI whether or not the user intended to create the electronic record.
    2. The definition of “PHI” excludes information related to a person deceased for more than 50 years.
    3. The covered entity’s or business associate’s “workforce” includes employees, volunteers, trainees, and other persons under the direct control of the entity or associate whether or not they are paid.
    4. The Final Rule includes the larger enforcement penalties and the “willful neglect” standard which will result in stronger penalties.
  2. Notice of Privacy Practices
    1. The Final Rule will require covered entities to modify their Notice of Privacy Practices.The notice must include a description of types of uses and disclosures that require an authorization, a statement that other uses and disclosures not described in the notice will be made if the individual authorizes the disclosure and that such authorization may be revoked.
    2. The notice can no longer describe marketing and patient opt-out rights since marketing must be authorized by the patient.
    3. Separate notice about appointment reminders or treatment alternatives need not be given because these are either already covered as health care operations or treatment; if the entity is paid for these communications, it’s marketing that requires authorization.
    4. The notice must include a statement that an individual may request a disclosure restriction and a statement that covered entities are not required to agree to such a request. BUT, health care providers must include in the notice the right of the patient to exclude disclosure of information to a health plan about care paid for solely by the patient.
    5. The notice must include a statement of the obligation to report a breach in security if the information was not secured (e.g. encrypted).
    6. If relevant, include a statement that genetic information cannot be used for health plan underwriting activities.
  3. Marketing
    1. The Final Rule requires authorization for all treatment and health care operations communication where the covered entity or business associate gets paid by a third party whose product or service is being marketed.
    2. Exceptions to the authorization requirement include refill reminders and other communications about currently prescribed drugs or biologics. However, HHS interprets the permissible costs under this exception to include only those which cover the costs of labor, supplies, and postage to make the communications. An amount in excess of the allowable costs requires authorization.
    3. Marketing does not include the promotion of health in general, provided that the communications do not promote the products and services of a particular seller, and does not include promotion of government and government-sponsored programs.
  4. Business Associates
    1. The definition of a “business associate” has been expanded to include everyone that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This explicitly includes subcontractors, Patient Safety Organizations, Health Information Organizations, e-prescribing Gateways, and vendors of Personal Health Records that provide services on behalf of a covered entity.
    2. Business associates are explicitly required to follow HIPAA regulations including for example, the “minimum necessary” disclosure standards.
    3. Covered entities are not required to enter into a separate business associate agreement with a subcontractor of a business associate.
    4. Business associate agreements will still be required even though associates are directly liable under HIPAA.
    5. Business associate agreements between contractors and subcontractors must be as tough as the one with the covered entity.
    6. Current Business associate agreements may be transitioned to newer ones. All agreements must comply by September 22, 2014. If an agreement is renewed or modified after the September 23, 2013 effective date of the rules, the revised agreement must conform to the new regulations.
  5. Patient Rights
    1. Individuals may restrict the disclosure PHI to a health plan if the information concerns health care for which the individual has paid in full out of pocket.
    2. Individuals may obtain electronic copies of health information that is maintained by the covered entity in electronic form. Subject to state law, covered entities may charge for the labor for copying and providing the information requested by the individual such as the cost of creating, burning and providing a DVD of the records.Covered entities have 30 days to respond to requests for access to PHI; the time period for response does not depend upon the format of the information.
      1. “(c)(2)The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.” [(§164.524(c)]
      2. (4)(i) Labor for copying the protected health information requested by the individual, whether in paper or electronic form; (ii) Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media…”
      3. If actual cost is less than state law permits then actual cost governs. If actual cost is more than state law permits then state law governs.
  6. Violations and Penalties

Categories of Violations and Respective Penalty Amounts Available

Violation Category

Each Violation

Total for identical violations in a Calendar Year

Did Not Know

$100 – $50,000


Reasonable Cause

$1,000 – $50,000


Willful Neglect-Corrected

$10,000 – $50,000


Willful Neglect-Not Corrected