New Changes for HIPAA

New updates to the HIPAA regulations are being issued, containing numerous changes based, for the most part, on The HITECH Act passed in 2009.  Some the latest regulations change such things as who is a Business Associate and who is responsible for their compliance and any HIPAA violations they make.  The new requirements have a direct impact on what needs to be put into the business associate agreements you establish.  Other changes put into effect new requirements to allow individuals to receive electronic copies of information held electronically, requiring that entities clearly define their HIPAA Designated Record Set.

All covered entities, and now, business associates of covered entities, need to review their HIPAA compliance, policies, and procedures to see if they are prepared to meet the changes in the rules.  Covered entities that use electronic health records (EHRs) will need to meet new access and disclosure rules and all kinds of business associates will need to establish compliance programs.  The law includes new requirements for audits by the US Department of Health and Human Services (HHS), now under way, and the regulations call for mandatory penalties in the event of willful neglect of the regulations.  Also included are the new requirements to restrict the flow of information in certain circumstances, and new restrictions on certain uses and disclosures.

Here is a list of new HIPAA changes:

  • New regulations change the way individuals have access to their records, and how much they can find out about whom has accessed their records.
  • Individuals can now request certain restrictions on disclosures that you must honor.
  • There are new requirements for disclosers of health information to apply “minimum necessary” standards.
  • Business Associates have new requirements to comply with HIPAA privacy protections and security safeguards and are subject to enforcement and penalties directly by HHS.
  • Sub-contractors of Business Associates are also considered to be Business Associates under the new rules.
  • Health Information Exchanges, Regional Health Information Exchanges, and e-Prescribing gateways are now considered to be Business Associates.
  • New limitations on marketing and fund-raising may change how entities can reach out to individuals.
  • New audit and penalty requirements.
  • New penalty structure and the new audit program.

We will update offices with additional information in future articles.  Contact Ann Deen at cadeen@tso.com with questions.