New HIPAA Compliance Requirements Take Effect

Newly enacted legislation has changed requirements for compliance with the Health Insurance Portability and Accountability Act (HIPAA). The new provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act strengthen security measures for Protected Health Information (PHI) and step up auditing and enforcement.

Although the law took effect March 26, physicians and other covered entities have until September 23, 2013, to comply with the new, wide-ranging regulations. The provisions are outlined in the Omnibus Final Rule.

Changes for providers and patients

Among the legislation’s significant changes is the broadened definition of a “business associate” (and extension of HIPAA compliance and liability under the law) to include any vendor storing PHI (e.g., electronic health record [EHR] companies) or any subcontractor that uses PHI to generate payments. These entities are now liable even if the practice doesn’t have a business agreement with them. The law also requires that existing contracts with business associates be updated to reflect the new regulations.

The criteria for a PHI breach have been revised from the subjective “risk of harm” standard to a more objective test. A breach is now presumed to have occurred unless the covered entity can demonstrate, through a risk assessment, that there was a low probability that PHI was disclosed. Provisions in the HITECH Act also strengthen compliance and enforcement of HIPAA regulations by instituting audits for all covered entities—large and small—and by increasing civil and criminal penalties for unauthorized disclosure of PHI.

Other sections of the HITECH Act directly affect patients, who now have to provide additional authorization before their PHI can be disclosed for payment of services. If a medical practice uses EHRs, patients now have the right to obtain an electronic copy of their records.

Preparing for compliance

Before the September 23 deadline, physicians, office staff, and business associates will have to take several steps to meet the new HIPAA compliance requirements.

One of the first actions covered entities will need to take is to appoint a privacy officer and security officer. The practice’s current privacy and security policies and procedures will need to be revised to align with new provisions, and be updated on a regular basis. These should include policies on securing portable electronic devices that may store PHI, as well as protocols to destroy any information on devices that may become compromised. Procedures for encrypting and securely transferring PHI electronically should also be included.

Staff members who use PHI (e.g., those working in the coding or billing departments) must become familiar with new office policies and HIPAA requirements. To ensure that practices are prepared for the new enforcement mechanisms, in-house audits and risk assessments should be conducted to identify and correct any potential compliance issues.

Patient privacy notices

Patient privacy notices must be revised to reflect the requirements for additional authorization before disclosure of PHI for processing payment of services. Entities must also prepare methods to provide copies of a patient’s electronic PHI when requested.

Procedures for how staff should identify, investigate, and report a potential breach of PHI should be drafted and reviewed regularly. Finally, all agreements with business associates need to be updated to reflect the extended HIPAA definition and liability.

Designed to protect and secure sensitive patient data, the new HITECH Act provisions will affect all health care providers this year. For more information on HIPAA and the requirements implemented under the Omnibus Final rule, visit

May 2013 (Vol. 5, Number 5)