Legal Alert: Final HIPAA Regulations Released: Time to Review Your HIPAA Policies?

Date   Feb 19, 2013

The U.S. Department of Health and Human Services ("HHS") recently released long-awaited final HIPAA Regulations.


Executive Summary:  The U.S. Department of Health and Human Services ("HHS") recently released long-awaited final HIPAA Regulations.  The new regulations finalize many changes previously proposed to the Privacy, Security, and Enforcement Rules, and modify the Breach Notification Rule initially adopted in August 2009.  In addition, the new regulations extend HIPAA application to Business Associates. 

The new Rules will be effective on March 26, 2013, with a compliance period of 180 days.  All covered entities must comply with the new Rules by September 23, 2013.

Brief Overview of Final Regulations:

New Breach Notification Rule.  Notably, the new regulations provide for a new Breach Notification Rule.  That new rule provides that an impermissible acquisition, access, or use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment using four factors:

  1. the nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;
  2. the unauthorized person who used the PHI or to whom the disclosure of PHI was made;
  3. whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired; and
  4. the extent to which the risk to the PHI has been mitigated.

New Definitions.  In addition, the new regulations modify various definitions and create new rules related to: Access to Records, Business Associates, Decedents, Electronic Media, Health Care Operations, Fundraising, Immunization Records, Marketing, Notifications to Persons involved in Patient's Care, PHI (includes genetic information), Requested Disclosures to Third Parties, Requested Restrictions, Research, and Sale of PHI.  

Covered entities should review and amend their Notices of Privacy Practices and HIPAA Policies and Procedures to incorporate both the new breach notification rule and to ensure compliance with all revised definitions and rules.   

Application to Business Associates.  Additionally, the new regulations extend HIPAA's application to Business Associates and any Business Associate Subcontractors.  Business Associate Agreements should also be reviewed and amended to ensure compliance with the new regulations.

Next Steps:

You should review and update your HIPAA practices and policies, compliance manual, and Business Associate Agreements and provide updated training to your employees that access protected health information.

If you have any questions regarding HIPAA or other employee benefits issues, please contact Tiffany, Isabella Lee,, Scott, or any member of FordHarrison's Employee Benefits Practice Group.