The Latest Changes Surrounding HIPAA

Healthcare Training Resource
July 19, 2013 — 1,136 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

Between the years 2001-2003 healthcare providers began to brace themselves for HIPAA compliance. The rush for compliance, however, failed to see effective implementation.  Eventually, covered entities started being lax towards compliance and its potency was put into question by many legislators. Under the Obama administration, the ARRA (American Recovery and Revitalization Act of 2009) brought forward impending changes to the HIPAA.

New Covered Entities

The ARRA brought forward a new class of covered entities which dealt in web based collection of PHR (Personal Health Records). Organizations that handled PHR and emerged under the new HIPAA were websites offering personalized health management companies, selling dietary supplements and other web based services to which blood pressure cuffs, blood glucose monitors and a whole lot of other devices were attached to save and monitor information.

These new covered entities began to be known as PHR related entities and they directly fell under FTC (Federal Trade Commission) jurisdiction. The HIPAA also required covered entities to be in a contractual agreement with third the party service providers or business associates who would be entrusted with secure destruction.

HIPAA changes also gave the Attorney General of each state absolute power over HIPAA enforcement. HIPAA complaint now attracts a $1,500,000 fine, 600% more than the previous $25,000. This shows the administration’s intentions of using enforcement as a weapon towards compliance.


Post HIPAA changes; the administration seems to be adamant in putting previous doubts on enforcement to rest, at least on paper.

Steps being taken in this direction:

1. Notification of Breach

HIPAA now provides patients the right to be notified of any breach of PHI. HHS (Human and Health Services) should also be notified in case a breach impacts more than 500 persons. The breaching entity’s name will be posted on the Human and Health Services website.

2. Electronic Health Record Access

HIPAA now allows patients to request for their PHI in an electronic format wherever a provider has an EHR (Electronic Health Record) system in place.

3. Business Associates and Business Associate Agreements

Business Associates were formerly guilty of not being in the requisite contractual agreements with covered entities but all that is bound to change as they too are being placed on the ‘compliance’ hook under which they are now being made to comply with safeguards mentioned in the HIPAA security rules.

Some other aspects that are being changed under the new HIPAA are:

1. Fundraising: Communication requirements for fundraising have evolved under HIPAA. Covered entities have more flexibility now in how they fundraise and offer individuals the option out.

2. Marketing: Covered entities are now required to be authorized, if it is receiving payment from a third party for marketing communications

3. Sale of PHI: Under HIPAA laws, a covered entity does not have the right to sell an individual’s PHI without his/her authorization

4. Student Immunization in Schools: In states having mandatory vaccination laws, covered entities are now allowed to disclose immunization records to schools without obtaining formal parental authorization.

Healthcare Training Resource