Skip to main content
A Better Partnership


Jul 2013
July 25, 2013

Health Care Providers: 5 Steps to Implementing HIPAA Changes

Wondering what you need to do to implement the new changes to HIPAA? Here’s a quick checklist:
  1. Update your breach notification policy. Under the old rules, you were allowed to conduct a risk assessment that focused on the likelihood of harm to the individual whose information had been breached. Under the new regulations, you must notify individuals unless you can demonstrate that there is a low probability that the Protected Health Information (PHI) has been compromised.

  2. Update privacy policies and procedures. You will likely need to revise or add provisions to your HIPAA privacy policies and procedures to address the following:
    1. New restrictions on marketing relating to communications funded by pharmaceuticals, medical device manufacturers or other third parties
    2. Prohibitions on the sale of PHI and the exceptions
    3. New rules that make it easier to share immunization records with schools
    4. New requirements for providing records to someone designated by the patient
    5. New rules that make it easier to share information about a deceased patient with family and others involved in the patient’s care or payment for health care services
    6. A new right for the patient to request that you not share information about an item or service with the patient’s health plan where the patient (or someone other than the insurer) pays the full cost
    7. Records will no longer be required to be protected under HIPAA after the patient has been deceased for at least 50 years
    8. For those with electronic patient records, new requirements for providing the patient with an electronic copy of such records
    9. For those engaged in fundraising, new rules that expand the type of patient information that may be used and new opt-out requirements
    10. For those engaged in research, new rules relating to compound authorizations
  3. Update (and maybe enter into new) business associate agreements. Your business associate agreements probably need to be updated to address the new breach notification requirements, compliance with the HIPAA security rule and the requirement that business associates also obtain business associate agreements from subcontractors who use PHI. Also keep in mind that cloud computing vendors, health information organizations, e-prescribing gateways and vendors who offer personal health records on your behalf are now considered HIPAA business associates, so consider whether you need to enter into business associate agreements with these types of entities.
  4. Update your Notice of Privacy Practices (NPPs). You may need to update your NPPs to include the following:
    1. A description of the patient’s new right to restrict disclosures to a health plan
    2. An explanation of the patient’s right to be informed of a breach of PHI
    3. A description of PHI uses that will require authorization, especially if you maintain psychotherapy notes or plan to sell or use PHI for marketing purposes
  5. Train your staff on the updated procedures. Be sure to review updated procedures with your workforce and keep a record of both the training materials and the date each workforce member was trained.

The new regulations become enforceable on September 23, 2013, so you’ll want to complete these steps by then.  The only exception is for business associate agreements that were in effect before January 25, 2013 and have not been modified since then: you have until September 22, 2014 to update those agreements.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -