Publication of HIPAA/HITECH Final Rule Signals Major Changes for Covered Entities and Business Associates

New Compliance Requirements Take Effect September 23, 2013; What You Need to Do Now

Legal Alerts

2.07.13

The final mega HIPAA/HITECH rule that was officially published in the Federal Register on January 25, 2013 (the “Final Rule”) requires HIPAA Covered Entities (e.g. health plans, health care providers that engage in electronic transactions, and health care clearing houses), to make a number of changes to their operations, HIPAA documents and policies. The Final Rule also directly obligates HIPAA Business Associates and their Subcontractors to comply with the administrative, technical and physical safeguard and some documentation requirements of the Security Rule, certain aspects of the Privacy Rule, and the Breach Notification Rule. Business Associates and Subcontractors will now be directly responsible to the Office for Civil Rights (OCR) of the Department of Health and Human Services (DHHS) for compliance with these Rules, and can be civilly and criminally penalized for failure to comply.

Unless otherwise noted in this alert, these changes must all be made no later than September 23, 2013. Doing the math, that gives Covered Entities  and Business Associates about seven and a half months to work through all of the changes, create the new agreements, policies and documents, and train staff on implementing them. 

By the September 23, 2013 deadline, Covered Entities and Business Associates will need to:

  • Revise the Notice of Privacy Practices (this is applicable only to Covered Entities).  Both health care providers and health plans must redistribute the new Notice of Privacy Practice, but the methods for doing that differ.
  • Enter into first-time business associate agreements that satisfy the newly revised requirements of HITECH with the entities that the Final Rule now defines as business associates—e.g. any health information exchange organizations, e-prescribing gateways, and other entities that transmit electronic protected health information (EPHI), as well as Patient Safety Organizations, vendors of Personal Health Records, and entities that “maintain” PHI (such as cloud computing entities). Covered Entities will also need to enter into compliant business associate agreements with any more  familiar kinds of business associates that have a new relationship with them—for example, if the Covered Entity is changing a service provider, accounting firm or similar relationship prior to September 23, 2013. Business Associates additionally need to enter into business associate agreements with all of their Subcontractors that provide services involving routine handling of PHI – a brand new requirement imposed by the Final Rule. 
  • Write a new data breach notification policy. The Final Rule dramatically changed the standards for determining when a breach notification is necessary.
  • Write a new policy dealing with marketing and fundraising activities that involve the use and disclosure of PHI. The Final Rule tightened restrictions on the activities that can be performed without individual authorization.
  • Write a new policy dealing with the disclosure of PHI for remuneration. The Final Rule requires individual authorization and specifies the terms of the authorization document.
  • Write a new policy dealing with a patient’s right to access PHI that is held about them in electronic format. Individuals now have rights regarding the format of produced information, and the right to direct that the electronic information go to a third person instead of only to themselves. The timing of a response to this kind of request was also changed.
  • Write a new policy about disclosing immunization records to schools. An authorization is no longer required, but the Final Rule still requires other forms of permission.
  • Write a new policy dealing with release of PHI to the family of deceased patients who are not an appointed personal representative. These policies will need to dovetail with Michigan’s Medical Records Access Act, which also addresses this issue. Additionally, information about individuals who have been deceased for 50 or more years is no longer considered PHI.
  • Write a new policy regarding an individual’s right to restrict use of PHI for treatment or payment purposes. The final Rule requires Covered Entities and Business Associates to honor such requests in certain situations involving disclosure to health plans, whereas previously they could choose whether or not to honor the request.
  • Write a new policy regarding “minimum necessary” uses and disclosures of PHI. The Final Rule emphasizes that use or disclosure of more than the minimum necessary amount of PHI is a breach that may require notification to affected individuals, DHHS and the media.
  • Write a new policy about research authorizations regarding research protocols involving the use or disclosure of PHI. The Final Rule permits increased flexibility and consistency with informed consent practices under the Common Rule.
  • For health plans that engage in underwriting, write a new policy prohibiting the use of genetic information for that purpose.

Covered Entities and Business Associates get a bit of a time break for certain actions. For business associate agreements that are already in place and that comply with the HIPAA rules that were in effect as of January 25, 2013 and will not be otherwise renegotiated before September 26, 2014, Covered Entities and Business Associates will have until that later date (e.g. one year longer than the basic compliance date) to bring all of these agreements into compliance with the new Final Rule requirements. Covered Entities and Business Associates can, of course, phase these in throughout the extra time period; there is no need to wait until 2014 to have them all in place.

OCR, which is the civil enforcement agency for HIPAA, has repeatedly signaled that it will “get serious” about HIPAA/HITECH enforcement once the compliance date for the new final rule arrives.  The rule has no “but I was trying!” exception to HIPAA enforcement, which can cost up to $1.5 million per year for each specific violation of each of the HIPAA/HITECH requirements. Now is the time to act to achieve compliance.

To learn more about the impact of this Final Rule on your company’s compliance requirements, please contact the co-authors of this alert, Joanne Lax at  248-203-0816 or Kathrin Kudner at 313-568-6896, any of the Health Care attorneys listed to the left or your Dykema relationship attorney. 


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2013 Dykema Gossett PLLC.