Massachusetts Medical Society: HIPAA Changes Now in Effect

HIPAA Changes Now in Effect

Vital Signs: November 2013

Resources Available at

The final omnibus rule from Health and Human Services (HHS) implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) became effective September 23, 2013. Please review the content below to confirm that you have done these things; if you have not, contact the MMS’s Physician Practice Resource Center or an attorney for help and guidance in achieving compliance. Such a process will include the following:

  • You should have reviewed a list of your vendors and contractors to determine which ones are now considered business ­associates even if they were not before.

    – The final rule broadened the definition of “business associate” to include an entity that “creates, receives, maintains, or transmits” protected health information (PHI) for a covered entity.

  • You should have revised your agreements with your business associates to reflect that they may now be directly liable for a failure to comply with certain HIPAA requirements. If a business associate agreement (BAA) was already in place as of January 25, 2013, and is not renewed or amended, you will have ­until September 23, 2014, to revise it. HHS notes, though, that “[r]eliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or [discussions] between the parties to the contract.”

  • The requirements for which business associates may be directly liable, including those relating to:

    – HHS’s investigation of ­complaints

    – Implementing safeguards to protect PHI

    – Minimum necessary disclosures of PHI

    – Permitted, required, and prohibited uses and disclosures of PHI

  • You should have revised your notice of privacy practices (NPP) to reflect new requirements, and made the new NPP available to all patients. The NPP must now include:

    – A description of the uses of PHI that will not require patient authorization

    – A description of the uses of PHI that will require patient authorization

    – A statement that the patient may opt out of fundraising communications (if applicable)

    – A statement that, if the patient so requests, you will not share information related to care for which the patient paid in full and out-of-pocket, other than as required by law or to care for the patient

    – A statement that you are required to notify individuals of a breach of their PHI

    – If you are a health plan that uses or discloses PHI for underwriting, a statement that you will not use or disclose genetic information for ­underwriting purposes

The secretary of HHS no longer has discretion about whether to investigate a complaint. He or she must investigate a complaint against a covered entity or a business associate, and must conduct a compliance review if it appears that a HIPAA violation has resulted from willful neglect. It is important to note that the final rule makes covered entities liable for the acts and omissions of their business associates, whether or not a proper BAA is in place. It is therefore important to not only revise your BAA, but also to choose your vendors and contractors with care, so that you trust they will abide by the terms of the BAA.

— Liz Rover Bailey, Esq.

Visit for more information and resources, including a HIPAA toolkit and sample templates for physician use.

Share on Facebook

New: Advertise With MMS

Increase your brand awareness and visibility to physicians and the general public through advertising space on the MMS website and several MMS email newsletters.

Read More »

Subscribe to e-Newsletters

Stay on the cutting edge of medicine by subscribing to free MMS e-newsletters. Choose from up to ten subject areas including physician and patient advocacy, public health, CME, daily health care news, and more. 

Sign Up »

NEJM Resident 360  Ad

Copyright © 2018. Massachusetts Medical Society, 860 Winter Street, Waltham Woods Corporate Center, Waltham, MA 02451-1411

(781) 893-4610 | (781) 893-3800 | Member Information Hotline: (800) 322-2303 x7311