HIPAA Compliant Cybersecurity for Professionals

HIPAA’s Final but Sweeping Changes to Privacy and Security Rules


January 30, 2013 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

On January 17, 2013, the Department of Health and Human Services Issued its Final Modifications to the Health Insurance Portability and Accountability Act (HIPAA), Originally Passed in 1996.

With technology and data exchange advancing so dramatically in just the last 5 years, it stands to reason that HIPAA would also require updating. In the face of broad scale changes in both technology and health care delivery, HIPAA’s new rules are intended to strengthen the privacy and security of individual’s protected health information. They also are more intimately entwined with the HITECH Act. Several of these new rules have important implications for telehealth practice. For practitioners, these changes impose yet more requirements in the event of a privacy breach.

This Final HIPAA Brings New Rules & Deadlines

This final HIPAA rule goes into affect on March 26, 2013 and all covered entities and their business associates must be in compliance by September 23, 2013. Business associates will be held more accountable. Maximum penalties for negligence and data breaches have been increased. The new rules also require more information to be given to consumers, and the rules also expand enforcement operations for infractions in the handling of health care information.

New Expectations for Business Associates

Business associates of covered entities will now be directly liable for compliance with HIPAA Privacy and Security Rules’ requirements. Previously, only direct health care providers, such as clinical practitioners, clinics, hospitals and insurance companies were responsible for HIPAA compliance.

Under this new ruling, HIPAA compliance standards and liability will now apply directly to contractors, subcontractors and business service companies working for health care providers. This means that companies providing electronic health records software, teleconferencing, data back-up and storage, billing, transcription and other IT services will now be directly responsible for HIPAA compliance.

Higher Penalties for Non-Compliance

The new rule also raises the maximum penalty for data breaches. Penalties for noncompliance under the original 2009 HITECH Act were capped at $250,000, but under the new HIPAA final rule, the maximum penalty is $1.5 million per violation. Standards for data breach notification have been clarified and made more stringent.

New Patient Rights and Privacy Regulations

Individuals will now have the right to a copy of their electronic health records. When treatment is paid for completely out of pocket, patients will now have the right to request that their health care providers restrict disclosing that treatment to their health insurance companies.  In addition, protected health information may not be used for marketing or fundraising purposes or sold without direct authorization.

Companies providing business services to health care providers and health insurance companies may well be unprepared for these changes. Infrastructure, documentation, and procedures for information privacy and security, and data encryption and disposal will have to be evaluated and brought into compliance. In addition, companies will need to provide formal security training to all employees, designate a security official and implement appropriate business associate contracts with their own subcontractors.

When HIPAA was first passed in 1996, most health care practitioners, hospitals and insurance companies scurried to bring themselves into compliance with the new standards. In the face of these final rules, business associates will have to engage in the same process.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...