Print Page   |   Sign In   |   Join
News & Press: Membership Benefits

URGENT: Amended HIPAA Requirements

Thursday, September 19, 2013   (0 Comments)
Posted by: Tara Breitsprecher
Share |



The Department of Health and Human Services (HHS) released the Health Insurance Portability and Accountability Act (HIPAA) Final Rule on Jan. 25, 2013. The Rule went into effect March 26, 2013 and covered entities (CE's) and business associates must comply with the requirements of the Final Rule by September 23, 2013. The Final Rule enhances patient privacy protections, provides individuals with new rights to their health information and strengthens the government's enforcement of and penalties under the law. The changes that must be in effect on September 23rd in the following:


Changes to Notice of Privacy Practices


Changes were made to the information that is now required in the CE's Notice of Privacy Practices (Privacy Notice). CEs will need to update their Privacy Notices as required by the law. The updated Privacy Notice need not be given to existing patients who have already received a Privacy Notice. However, a copy of the updated Privacy Notice must be posted in the practitioner's office and all new patients must be given a copy.

Updated Privacy Notices must include the following statements, among others:

  • Most uses and disclosures of psychotherapy notes, uses and disclosures of protected health information (PHI) for marketing purposes, and disclosures that constitute a sale of PHI require patient authorization;
  • Other uses and disclosures not described in the Privacy Notices will be made only with authorization from the individual;
  • Patients have the right to restrict certain disclosures of PHI to health plans/insurance companies if the patient pays out of pocket in full for the health care service; and
  • Affected patients have the right to be notified following a breach of unsecured protected health information.

Modifications to the Breach Notification Rule


An "impermissible use or disclosure” of PHI is presumed to be a breach unless the CE or business associate demonstrates that there is a "low probability that the protected health information has been compromised.” Breach notification is not necessary if a CE or business associate demonstrates through a documented risk assessment that there is a low probability that the PHI has been compromised. CE's and business associates must assess the probability that the PHI has been compromised based on a risk assessment that would be performed routinely following any security breaches. The risk assessment considers the following factors:

  1. Nature and extent of PHI involved;
  2. To whom the PHI may have been disclosed;
  3. Whether that PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated (for example, assurances from recipient that information has been destroyed or will not be further used or disclosed).

Providers are required to give notification of a breach unless the information was secure. If the risk assessment fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required. This risk assessment should be documented in your records for all potential breaches.

Providers will need to update their incident response and breach notification processes to reflect the change from a "risk of harm” standard to a "presumption of breach” standard and to include the four factor assessment. It is important to note that HHS includes not just unauthorized access to PHI, but also impermissible uses by knowledgeable insiders in its definition of breach requiring an assessment.


Business Associates

Business associates and their subcontractors must now comply with the HIPAA rules in the same manner as covered entities. Any entity that "creates, receives or transmits” PHI on behalf of a covered entity may now be held directly liable for impermissible uses/disclosures. Business associates and subcontractors must conduct risk assessments under the HIPAA Security Rule.

Although business associates are now directly regulated under HIPAA, covered entities are still responsible for their business associates' actions. Therefore, CEs must ensure that they obtain satisfactory assurances of HIPAA compliance through their business associate contracts and business associates must do the same for their subcontractors.


Penalty Structure

HHS set up a four-tier financial penalty structure for breaches deemed serious enough to warrant a penalty imposed by the federal government. Based on culpability, fines range from $100 to $50,000 per violation with a cap of $1.5 million on violations of identical provisions happening within the same calendar year. High-level penalties are targeted at CEs who are being willfully neglectful or making no attempt to correct problems.

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.


Please visit NASW's website to view updated sample forms that social workers can use in their practice.





Find a Social Worker

NASW Liability Insurance

Submit Feedback

Email a Staff Member

1000 Bent Creek Blvd. Suite 40
Mechanicsburg, PA 17050

Phone: 717.232.4125

Fax: 717.697.5686

Association Management Software Powered by YourMembership  ::  Legal