Here’s how to comply with HIPAA changes

In 2013, the U.S. Department of Health and Human Services adopted sweeping changes to the Health Insurance Portability and Accountability Act of 1996 that substantially altered rules on privacy, security and breach notification, and increased penalty amounts for violations.
This overhaul, known as the Omnibus Final Rule, heightened requirements for covered entities in several areas, including breach notification and privacy practices. In light of these increased requirements, and in an effort to assist health care providers to comply with HIPAA, HHS recently released a new security-risk assessment tool and has begun a new comprehensive audit program.
Under the omnibus rule, health care providers were required to address the steps needed to comply with these sweeping changes, which required compliance by Sept. 23, 2013.
Among the areas addressed in the overhaul was an expanded definition of “business associate” such that a wide range of new entities – including document-storage facilities or companies that store electronic protected health information – became subject to HIPAA provisions for the first time. This change raised potential liability issues for covered entities.
Under the rule, the definition of “business associate” includes a person or entity that performs functions or activities on behalf of, or provides certain services to, a covered entity where the business associate will have access to protected health information. The expanded definition also covers subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate.
Business associates must enter into contracts with covered entities to appropriately safeguard protected health information and to clarify the scope of the relationship between the parties, including the required services and permitted uses of protected health information. Business associates are directly liable for breaches of protected health information and may be subject to civil and/or criminal penalties for uses or disclosures of protected health information that are not explicitly authorized by the business associate agreement or required by law. In addition, the rule greatly enhances patients’ privacy rights and protections. For example, covered entities were required to revise their “Notice of Privacy Practices” to state that individuals have the right to opt out of fundraising communications. Covered entities must also advise patients of their breach notification obligations.
The rule removes the exception to the breach definition related to limited data sets. Following a disclosure of even a limited data set, a covered entity must still engage in notification or risk assessment.
Since the deadline for compliance under the rule, HHS has released a new, interactive tool to help covered entities comply with HIPAA.
The agency’s new security-risk assessment, primarily designed for small to medium-sized health care providers, is intended to assist health practices conduct and document a comprehensive risk assessment at their own pace.
By using the assessment, providers may assess the information-security risks within their organizations. The assessment also produces a report that practices may provide to auditors.
The assessment also assists health care providers in uncovering potential weaknesses in their security policies, processes, and systems. The agency’s Office for Civil Rights recently signaled that it will begin Phase 2 of its HIPAA Audit Program in October 2014, continuing through approximately June 2015. Unlike Phase 1, which focused exclusively on covered entities, Phase 2 will include both covered entities and business associates.
Phase 1, which took place in 2011 and 2012, revealed that nearly two-thirds of the 115 entities examined had failed to comply with HIPAA information-security risks.
More specifically, Phase 2 audits will address related security issues including but not limited to notice to patients of privacy practices, content and timeliness of breach notifications and orientation of staff with HIPAA policies and procedures.
In light of the rule and upcoming audit program, and with the assistance of the new SRA tool, health care entities should take the following steps:
Audit your compliance program. By conducting regular audits and risk assessments, providers can uncover potential weaknesses in their security policies, processes and systems.
Review and revise policies and procedures. A key challenge for any health care provider is putting in place the appropriate operational mechanisms for carrying out these new changes, especially security-incident risk assessments and documenting the risk-assessment results in order to meet the burden of proof in an audit or investigation.
Regularly retrain staff. Apprise your staff of all HIPAA changes as they arise. A well-informed staff will help to avoid HIPAA violations and related penalties.


Angela L. Carr and Kristen M. Whittle, attorneys at Barton Gilman LLP in Providence and Boston, advise clients on patient-privacy compliance issues.

No posts to display