Not able to view email? View it in your browser.
Fall 2013
d&G Lawyer News

Visit Our Site:

101 E. Kennedy Blvd.,
Suite 2000
Tampa, FL 33602

  • 2013 HIPAA Law Changes
  • By: Patrick J. McNamara and Kristin K. Morris

    Effective March 26, 2013 the Health Insurance Portability and Accountability Act ("HIPAA") underwent significant changes that will affect medical providers, their patients, and their Business Associates. HIPAA is intended to protect the protected health information ("PHI") of patients from use and disclosure not authorized under the rules. PHI is 1) health information created or received by a Covered Entity, 2) that relates to the health of an individual, or 3) to the payment for health care which identifies (or could reasonably identify) an individual and is transmitted or maintained by any form or medium. Covered Entities include health plans, specifically group health plans, health care clearinghouses, or health care providers who transmit any health information in electronic form. Covered Entities must comply with the requirements of HIPAA and failure to do so results in direct liability under HIPAA.
    HIPAA is comprised of four (4) major sections: the Enforcement Rule, the Security Rule, the Privacy Rule, and the Breach Notification Rule. While the changes were effective March 26, 2013, the compliance deadline is September 23, 2013. This article will discuss the most notable changes to HIPAA.

    The definition of a "Business Associate" has changed. An important distinction in the definition is those who merely transmit PHI are not Business Associates, while those who store and/or maintain it are Business Associates. Another important change is that a Business Associate now includes the subcontractors of a Business Associate. A subcontractor is a person that creates, receives, maintains, or transmits PHI on behalf of the Business Associate, and a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate. This major change subjects subcontractors of Business Associates to direct liability under HIPAA.

    The changes to the Enforcement and Security Rules are not the most noteworthy, but a few of the changes will have widespread implications. Under the new rule, Covered Entities, Business Associates, and subcontractor Business Associates are liable for their Business Associate agents. The Security Rule now directly applies to the Business Associates of Covered Entities. Essentially, any Business Associate of a Covered Entity, including subcontractor Business Associates, must comply with all provisions of the Security Rule. Failure of a Business Associate to comply with these provisions will result in the Business Associate’s direct liability under HIPAA. In addition, under the Security Rule, a Business Associate of a Covered Entity is required to enter in the Business Associate Agreement with any subcontractor of that Business Associate. Finally, any security incidents, like breaches, must now be reported up the chain to the Covered Entity. For example, a subcontractor Business Associate must report a breach to the Business Associate, who then must report to it Covered Entity; the Covered Entity is then responsible for notifying the proper party.

    The bulk of the changes came to the Privacy Rule provisions, specifically as they relate to Business Associates. It is important to remember that a person becomes a Business Associate by meeting the definition of a Business Associate regardless of the presence of a Business Associate Agreement. A Business Associate is now also directly liable for certain provisions of the Privacy Rule including: uses and disclosures of PHI that are not in accord with the governing Business Associate Agreement or the Privacy Rule; failure to provide breach notification to the Covered Entity; failure to provide access of Electronic PHI to the individual or Covered Entity; failure to disclose PHI to the Secretary; failure to provide an accounting of disclosures; and failure to comply with the requirements of the Security Rule. Further, Business Associates must comply with the Minimum Necessary principle: that PHI is not disclosed, unless necessary or to the least extent necessary, to perform the required job. The final important change in this section is that requirements in Business Associate Agreements trickle down to sub-contractors and sub-sub-contractors on down the line.

    The final HIPAA section that underwent significant change is the Breach Notification Section. The definition of a breach has now been modified to state that an impermissible use or disclosure of PHI is now presumed to be a breach, which triggers the Breach Notification requirements, unless the Covered Entity or Business Associate demonstrates through the use of a Risk Assessment that there is a low chance that the PHI has been compromised. A risk assessment of a Covered Entity or Business Associate must consider at least the following factors: a) the nature and extent of the PHI involved; b) the unauthorized person who used the PHI; c) whether the PHI was actually acquired or viewed; and d) the extent to which the risk to the PHI has been mitigated. A Risk Assessment is only necessary when the Covered Entity or Business Associate believes no notification is necessary, and should be performed as soon as possible upon the discovery of a potential breach as the Breach Notification timeframe remains unchanged.

    The implications of the HIPAA changes are great, particularly for law firms and other Business Associates that were not previously directly liable under HIPAA. Law firms in particular need to take great care to ensure that their Business Associate Agreements and office policies and procedures reasonably and appropriately protect PHI, comply with the minimum necessary requirement; and are adequately equipped to prevent, detect, and deal with any potential breaches of HIPAA.

    This article is just a brief summary of some of the major changes that will affect medical providers, other Covered Entities, Business Associates, and patients. For a more in depth analysis please visit If you have any questions regarding the changes to HIPAA, please contact Pat McNamara at or Kristin Morris at

    101 E. Kennedy Blvd., Suite 2000 | Tampa, FL 33602 | 813-229-2775 Fax: 813-229-2712
    Email: | Site:
    If you’d like, you can unsubscribe from this Newsletter, Click Here.