New Patient Privacy Rules Take Effect

September 2, 2013

The regulations associated with the Final Rule of the Health Insurance Portability and Accountability Act (HIPAA), released January 25, 2013, will become mandatory as of September 23, 2013. HIPAA regulations affect how providers handle their patients' protected health information. Providers who fail to comply with the regulations could face large fines (up to $1.5 million). The Final Rule is more prescriptive by including subcontractors and business associates, along with covered entities (providers) who must comply. A business associate—roughly defined as anyone who creates, receives, maintains, or transmits protected health information (PHI)—might be deemed subject to HIPAA rules as part of his/her business association. Actual processes, procedures, and requirements to demonstrate compliance are often dependent on the size and type of practice environment.


The Final Rule is intended to bolster privacy and security protections for PHI by greatly enhancing the government's ability to enforce the law, first introduced in 1996. The new regulation addresses four major areas: (1) privacy, security, and enforcement; (2) changes to the enforcement rules; (3) breach notification; and (4) disclosure of genetic information. The rule expands compliance beyond the covered entities (providers) to subcontractors and business associates. Completion of business associate agreements between covered entities and business associates demonstrates that the business associates are in agreement regarding business practices and assure compliance with the regulations. The rule updates and enhances privacy notices that serve to strengthen limitations on use and disclosure of information without authorization as well as provide access to information. The rule enhances regulations previously established by increasing fines and penalties associated with non-compliance and subsequent harm to the patients. The Final Rule also more specifically defines what constitutes harm.

Providers need to have procedures in place to protect the confidentiality and privacy of patient information. Appropriate authorization is needed for any information that is shared; very specific requirements are provided for information that is shared electronically. While most providers have had these procedures and agreements in place, the Final Rule requires updating of existing notices, and initiation of notices for new patients.


U.S. Department of Health & Human Services, Office for Civil Rights

ASHA's HIPAA website

For more information, please contact Laurie Alban Havens, ASHA's director of private health plans and Medicaid advocacy, by e-mail at or by phone at 301-296-5677.

ASHA Corporate Partners