Call:  (407) 331-6620 or (850) 439-1001
Toll-free:  (888) 331-6620 
Pay Online
Subscribe To Our Monthly Newsletter

Seven Things To Know When You Receive A Notice Of Investigation From The Department Of Health

Download Free Copy

New HIPAA Changes Effective Sept. 23, 2013

The new HIPAA regulations are designed to provide patients with better privacy protection, and additional rights not included in the original HIPAA rules.

By Michael L. Smith, R.R.T., J.D.


(September 30, 2013) – The Department of Health and Human Services (HHS) published amended rules applicable to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in January 2013. As explained by the Secretary of HHS, healthcare has experienced significant changes since HIPAA was enacted in 1996. The implementation of electronic medical records is just one of those changes. The new HIPAA regulations are designed to provide patients with better privacy protection, and additional rights not included in the original HIPAA rules. The new rules became effective on Sept. 23, 2013.

The HIPAA regulation changes include new patient rights. Patients now have a right to request electronic copies of their records if their health care provider maintains records in electronic form. Patients also have the right to restrict the disclosure of some of their protected health information to a health plan when the patient has paid out of pocket in full for their care.

Every covered entity must modify their Notice of Patient Privacy Rights documentation to include the additional patient rights included in the new HIPAA regulations. Earlier this month, the HHS Office of Civil Rights published model Notices of Privacy Practices on its website to assist covered entities and health plans with complying with the new requirements.

According to HHS, several of the largest HIPAA breaches have involved business associates. Consequently, the new HIPAA regulations also include significantly increased requirements for business associates and the subcontractors of those business associates. A subcontractor is any entity that does not have a direct contractual relationship with a covered entity, but still receives, maintains, transmits or creates protected health information as part of their work for a business associate of a covered entity. Under the new regulations, subcontractors are included in the definition of “business associate” and also subject to the same criminal and civil sanctions applicable to covered entities and business associates for violations of HIPAA.

The new HIPAA regulations also require each covered entity to take action to cure a breach or end a HIPAA violation by its business associate if the covered entity knows of a pattern or practice of its business associate that violates HIPAA. Covered entities will need to take a more active role in monitoring the activities of their business associates to cure breaches and end HIPAA violations.

The new HIPAA rules also include increased penalties required by the HITECH Act. Now there are four categories of violations based upon the level of culpability involved in the breach. There are corresponding penalties for each category of violation with significantly increased minimum penalties. The maximum penalty amount of $1.5 million annually. As we have discussed in previous posts, the actual cost of violating HIPAA includes numerous other costs in addition to the penalty imposed by HHS. Those other costs include investigation costs, notice to patients, and the purchase identity protection coverage for the affected patients.

The new HIPAA regulations strengthen the limitations on the use and disclosure of protected health information (PHI) by covered entities and business associates for marketing and fundraising purposes. The new HIPAA regulations also prohibit the sale of PHI by covered entities or business associates without the consent of the patient.

Every covered entity should ensure that its Notice of Patient Privacy documentation has been reviewed and revised as necessary to comply with the new regulations. Covered entities and business associates should ensure that all their business associate agreements are compliant with the new HIPAA regulations.

Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.

This article was originally published in Advance for Respiratory Care and Sleep Medicine.

Main Office • 1101 Douglas Avenue, Suite 1000, Altamonte Springs, FL, 32714
By Appointment • 37 N. Orange Ave., Suite 500, Orlando, FL 32801
By Appointment • 201 E. Government St., Pensacola, FL 32502 Telephone: (407) 331-6620(850) 439-1001 Telefax: (407) 331-3030

Medicare/Medicaid Audits, Health Care Law, Contracts, Hospital Privileges Hearings, Investigations, DEA Defense, Board of Medicine Defense, Fraud Defense, Administrative Hearings, PRN, IPN, Professional Licensing, Medicare/Medicaid Fraud Defense, Nursing Law, Compliance Plans, Hospital Law, Board of Dentistry, Board of Nursing, Board of Pharmacy, Board of Psychology, White Collar Crime, Pain Management and Pain Medicine Physician Defense, Pain Management Clinic Defense, Zone Program Integrity Contractor (ZPIC) Audit Defense, Recovery Audit Contractor (RAC) Audit Defense, Medicaid Fraud Control Unit (MFCU) Defense, Search Warrant and Subpoena Defense, Board of Psychology Defense, NBME Representation, U.S.M.L.E. Challenges, ABIM Representation, Medical Exam Cheating Defense…and more

Available in the following Florida cities and counties: Daytona Beach, Fort Lauderdale, Gainesville, Jacksonville, Key West, Melbourne, Miami, Ocala, Orlando, Pensacola, Panama City, Sarasota, St. Petersburg, Tallahassee, Tampa, West Palm Beach, Alachua, Baker, Bay, Bradford, Brevard, Broward, Calhoun, Charlotte, Citrus, Clay, Collier, Columbia, Dade, De Soto, Dixie, Duval, Escambia, Flagler, Franklin, Gadsden, Gilchrist, Glades, Gulf, Hamilton, Hardee, Hendry, Hernando, Highlands, Hillsborough, Holmes, Indian River, Jackson, Jefferson, Lafayette, Lake, Lee, Leon, Levy, Liberty, Madison, Manatee, Marion, Martin, Monroe, Nassau, Okaloosa, Okeechobee, Orange, Osceloa, Palm Beach, Pasco, Pinellas, Polk, Putnam, St. Johns, St. Lucie, Santa Rosa, Sarasota, Seminole, Sumter, Suwannee, Taylor, Union, Volusia, Wakulla, Walton, and Washington

By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.

Available in the following states*: Alabama, Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming

Disclaimer | Terms of Representation

The Health Law Firm logo shown above is a registered Service Mark of George F. Indest III, P.A. – The Health Law Firm, since 2007.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2024 The Health Law Firm. All rights reserved.