American Osteopathic Association

Advancing the distinctive philosophy and practice of osteopathic medicine


DO with patientThe HIPAA final rule includes changes designed to increase patient privacy and secure health information. The final rule became effective March 26, 2013, and had a compliance date of Sept. 23, 2013. Here’s a look at what’s different and how to address the changes in your practice.

Broader Definition, More Liability for BAs

Expanded Definition of BAs: Business associates (BAs) are organizations that create, receive, transmit or maintain protected health information (PHI). More organizations are considered BAs under the final rule. In addition, business associates’ subcontractors are now also considered BAs, so they need to agree to the same terms you’ve established with the BA.

Greater BA Liability: Business associates are now directly liable for uses and disclosures of PHI and must inform physician practices within 60 days of discovering a breach. BAs are required to implement safeguards, policies and procedures to protect PHI; they must also maintain documentation demonstrating compliance.

  • Action item: Conduct BA training. It’s a good idea to train business associates to make sure they have procedures in place to avoid a breach of protected health information. Note that your practice can be held liable for a breach caused by a BA or subcontractor acting as your agent.


Updates to the Notice of Privacy Practices

  • Action item: Update Notice of Privacy Practices. Physicians were required to update their Notice of Privacy Practices by Sept. 23, 2013. The revised notice must include the following:

    • Patients have the right to restrict disclosures of PHI to health plans if they pay for services out of pocket in full

    • The patient’s authorization is required for use and disclosure of PHI for marketing purposes

    • The patient’s authorization is required for use and disclosure of PHI that would constitute a sale of PHI

    • Patients have the right to opt out of fundraising communications

    • Other uses and disclosures of PHI not described in the notice will be made only with authorization from the patient

    • Patients have the right to be notified if they are affected by a breach of unsecured PHI

  • Action item: Distribute updated Notice of Privacy Practices. The revised privacy notice must be:

    • Posted in a prominent location in your practice like the patient waiting room

    • Posted on your website, if you have one

    • Given to new patients starting Sept. 23, 2013

    • Made available to existing patients on request

Patients May Request Records, Restrict PHI Disclosure

Patients may request EHR records: If you use electronic health records (EHRs) in your practice, patients must be able to obtain a copy of their medical records upon request. You can require that requests be made in writing, but fees cannot be greater than the practice’s labor costs in responding to the request. Requests must be completed within 30 days, with a one-time extension of up to 30 days.

  • Action item: Create an EHR request workflow. Develop a procedure for responding to patient requests for medical records.

Patients can restrict PHI disclosure. Patients have the right to restrict disclosures of PHI to their health plan if they pay out of pocket in full. Note that if state or other laws require providers to submit a claim and there’s no exception for those who pay out of pocket, you may disclose the PHI to the health plan.

  • Action item: Protect restricted PHI. Develop a system for “flagging” PHI that has been restricted by a patient to be sure it’s not inadvertently disclosed to a health plan.

Handling a Breach of Protected Health Information

Stricter standards: Under the HIPAA final rule, any disclosure of patient records is treated as a breach and must be reported unless the practice performs a risk assessment demonstrating a low probability that PHI was compromised. Get tips on safeguarding patients' protected health information.

Risk assessment process: Breach notification isn’t required if the physician or BA can demonstrate through a risk assessment that there is a low probability the PHI has been compromised. If you determine the unauthorized disclosure wasn’t a breach, you should maintain documentation to support your stance. If you decide to notify patients about the disclosure, you’re not required to conduct the risk assessment.

Breach notification process: If a breach occurs, you must notify the Secretary of the Department of Health and Human Services (HHS) within 60 days of the end of the calendar year when the breach was found, if it affects fewer than 500 individuals. If the breach affects more than 500 patients, you must notify the HHS Secretary immediately.

  • Action item: Develop a plan ahead of time. Reduce the risk of a breach by determining who can and can’t access PHI. Set up a plan for conducting and documenting  a risk assessment. Likewise, establish who is responsible for notifying the HSS Secretary in the event of a breach.

Increased Penalties for Noncompliance

Penalties for HIPAA violations can be anywhere from $100 to $50,000 per violation; the annual limit is $1.5 million. Some health care experts believe the federal government is moving toward enforcing noncompliance more rigorously than in the past, so it’s more important than ever to take proactive steps to make sure your practice is complying with HIPAA requirements.


 Contact Us


Yolanda Doss
(312) 202-8023

Kavin Williams
(312) 202-8194


 Share This