Skip to Main Content


HIPAA Changes Require Revised Privacy and Security Documents

Mar 3, 2013

Most health care providers have established procedures and policies for handling patient Protected Health Information ("PHI"). Due to recent regulatory updates, it is time to revisit security and privacy practices to determine where modifications are needed. 

The Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules have each been revised. Nearly all health care providers are affected in some way, with changes required for documents addressing PHI, including:

  • Notices of privacy practices
  • Patient authorizations
  • Business associate agreements
  • Breach notification policies

The new omnibus rule is effective on March 26, 2013, but covered entities have until September 23, 2013 to bring their documents, and the procedures they reflect, into compliance. However, agreements with business associates existing as of January 25, 2013 that are not subject to renewal or modification before September 23, 2013, have until September 23, 2014 to become compliant with the new rule.

Privacy, Authorization, and Access to PHI

Notices of privacy practices ("Privacy Notices") must be modified to provide patients with greater opportunity to authorize, opt-out of, and restrict certain uses or disclosures of their PHI.  Privacy Notices must now feature additional descriptions alerting patients to their ability to authorize (or not) the use of their PHI in activities that would result in remuneration to the provider. In addition, all marketing and fundraising materials must enable the individual to opt-out of further communications.  Patients also now have the ability to demand restriction of their PHI to a health plan if they pay for their treatment entirely out of pocket.

Patient access to PHI has been simplified.  Patients must be granted easy access to their electronic PHI in the form and format of their choosing, if possible.  Also, the process to obtain student immunization records required by schools is also relaxed, requiring only oral (but documented) authorization from the parent, guardian, or student if emancipated.  Privacy Notices must also provide that, if a breach of PHI security should occur, the provider will notify the individual as required by HIPAA rules. 

Covered health care providers need not redistribute a revised Privacy Notice containing the above modifications.  As with the prior privacy rule, providers are required only to give a copy of the new Privacy Notice and obtain a good faith acknowledgement from new patients.  Providers may post a summary of their revised Privacy Notice in a "clear and prominent location," so long as the full Privacy Notice is immediately available without any additional burden on the individual.

Business Associate Agreements

The new omnibus rule expands the definition of "business associate" to include an individual or entity that creates, receives, maintains, or transmits protected health information, and includes a subcontractor who does the same, on behalf of a covered entity.

Business associate agreements need to be modified to impose direct responsibility on the business associate for compliance with the new omnibus rule, using specific references to regulations and breach reporting requirements.  The terms of the agreement must obtain satisfactory assurances that PHI will be appropriately safeguarded in accordance with the covered entity's "minimum necessary" standards.

Because business associates are now directly liable for compliance with the privacy and security rules, all business associate agreements should be carefully evaluated and drafted to ensure the covered entity will not be held liable for the breach or faults of its business associates.  Agreements must be crafted to provide the appropriate level of control while protecting from agency liability.

Breach Notification Policies

The revised breach notification rule utilizes a more objective breach assessment method than the prior standard.  Now, an unpermitted disclosure is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a "low probability" that the protected health information has been compromised.  This involves a risk assessment of several factors, including the nature and extent of the PHI involved, to whom the disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI was mitigated.

The required breach notification process is generally unchanged, but considering the covered entity's responsibility to report its own breaches as well as those of its business associates, the procedures for breach risk assessment and mitigation deserve renewed attention. If a violation is found, civil monetary penalties have been increased, up to $50,000 per violation and $1,500,000 for all violations of the same HIPAA provision occurring within the same year, depending upon knowledge of or willfulness in the violation, and any corrective action taken.

For questions regarding patient privacy and security requirements, business associate agreements, and HIPAA compliance, please contact Raquel Laude at (585) 512-3514 or



This publication is intended as an information source for clients, prospective clients, and colleagues and constitutes attorney advertising. The content should not be considered legal advice and readers should not act upon information in this publication without individualized professional counsel.