HHS Issues HIPAA Changes


By: Cynthia C. Anderson

On January 17, 2013, the Department of Health and Human Services Office for Civil Rights released the long-awaited final rule adopting a number of changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. These changes were mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). A few highlights of the final rule are summarized below.


The final rule makes several important changes to the business associate provisions. The most significant is that business associates themselves now become subject to many of the privacy and security rules in the same manner as covered entities and become liable for the same civil and criminal penalties. Business associates are also now subject to the same breach reporting requirements and are equally responsible with the covered entity for ensuring that there is a business associate agreement or similar document in place with a covered entity.

The rule also clarifies what entities are considered to be business associates. It includes in the definition of business associate, health information organizations, e-prescribing gateways, or other entities that provide data transmission services to a covered entity and require access to protected health information on a routine basis, entities that offer a personal health record on behalf of a covered entity, and subcontractors. A subcontractor who receives, creates, maintains or transmits protected health information on behalf of a business associate, is now also subject to HIPAA, and there must be a written agreement between the business associate and the subcontractor that contains the same elements that are required in a business associate agreement between a covered entity and a business associate.


The rule requires modification to and redistribution of a covered entity’s Notice of Privacy Practices. The notice must be updated to include a description of the types of uses and disclosures that require an authorization. It must also explain, if applicable, that the individual has the right to opt out of any fundraising communications, and must also explain that the individual will be notified if there is a breach of unsecured protected health information.


Covered entities have new requirements with respect to the use or disclosure of protected health information for fundraising and marketing. Fundraising communications must now include a “clear and conspicuous opportunity” for an individual to opt out of receiving further communications, however, the covered entity may also provide a method for the individual to opt back in to receive such communications. Treatment and payment may not be conditioned on the individual’s agreement to receive fundraising communications.

The rule also provides more specificity with respect to HIPAA’s marketing restrictions. It excludes from the definition of “marketing” communications for treatment, case management or care coordination, or communications describing health related services or products provided by the covered entity, so long as the covered entity does not receive financial remuneration in exchange for making the communication.


In the area of research, the rule makes an exception to the prohibition against “compound authorizations” to allow conditioned and unconditioned authorizations to be combined, so long as the authorization specifies which components are conditioned and which are unconditioned and clearly allows the subject to opt-in to the unconditioned research activities. It also provides that authorizations need not be study-specific provided that they describe future uses or disclosures in sufficient detail to enable the subject to give an informed consent. This brings the HIPAA rule into harmony with the Common Rule’s informed consent requirements.

Other areas that are addressed in the new rule include use or disclosure of immunization records of students, sale of protected health information, access to protected health information, notification of breaches of unsecured protected health information, and disclosure of genetic information for underwriting purposes.

All health care providers should review their privacy and security policies and procedures to determine what changes will be needed to address the new requirements. The rule comes into effect on March 26, 2013 and covered entities and their business associates must be in compliance by September 23, 2013.