Close Server: KOPWWW05 | Not logged in


HIPAA Final Rule Spells Big Changes

The compliance date is just around the corner. Will you be ready?

After great anticipation and apprehension, the HIPAA Omnibus Rule was published in January. For those of us who tracked the previously published Proposed Rule and its changes, the Final Rule contained several surprises, especially for business associates (BA). In fact, for the HIPAA BAs who have not already conformed to the previously published Proposed Rule, they will now have monumental changes to implement in a narrow window of time.

The effective date for the Final Rule is March 26, with the compliance (enforcement) date set for Sept. 23. The only exception to this would be for business associate agreements (BAAs), which are currently in place. That deadline is Sept. 23, 2014. When existing BAAs are renewed or revised before Sept. 22, 2014, they must then confirm to the Final Rule. New BAAs will be required to follow the Final Rule so all BAAs are in full compliance with the Final Rule by Sept. 23, 2014.

The definition of BAs has been expanded to include health information organizations, e-prescribing gateways, storage of protected health information (PHI), and others that provide data transmission and storage services with respect to PHI. This change will impact such businesses as shredding companies, EMR providers, healthcare equipment companies, companies that warehouse PHI (even if they never access the data),  etc., as they will now become HIPAA BAs under the Final Rule.

For medical transcription (MT), the most anticipated proposed change was that related to subcontractors. The newly expanded definition in the Final Rule for BAs also directly addressed subcontractors. It states, "A business associate also is a subcontractor that creates, receives, maintains or transmits protected health information on behalf of another business associate." This change will greatly impact a large number of the MT workforce since there are many MT subcontractors (independent contractors) who work for MT services. Their new obligations as HIPAA BAs will be numerous, and for a single practitioner these new obligations could be overwhelming. 

BA Requirements

Here are some of those key HIPAA BA requirements that all subcontractors who handle PHI will now need to follow:

  • A written BA agreement. This agreement would be between the subcontractor and the BA they perform services for, such as an MT service. Just as the MT service has been required since the implementation of HIPAA to have a written BAA with the Covered Entity (CE) they provide services for, now the subcontractor must also have a written BAA with the BA they provide services for. The BA must, of course, comply with all of the requirements outlined in the BAA. HHS posted an updated sample of a BAA consistent with the Final Rule on its website:
  • Comply with the HIPAA Security Rule. This includes the administrative, physical and technical safeguards for PHI, as well as a designated HIPAA Security Officer.
  • Maintain written HIPAA policies and procedures.
  • HIPAA training and proof of it.
  • Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of its use.
  • If a subcontractor uses the services of a subcontractor, and they handle PHI, subcontractor A will need to have a written BAA with subcontractor B.
  • Comply with all notification requirements related to the Data Breach Rule.
  • Comply with the contractual Privacy Rule requirements (e.g., termination, HIPAA training, etc.).

Scope of Liability

The scope of liability has also expanded for the BA to include the actions of their subcontractor BAs. Penalties for willful neglect have increased to as high as $50,000 per violation with a maximum of $1.5 million in a calendar year.

BAs should immediately review their use of subcontractors/independent contractors, contact them regarding their new obligations as a HIPAA BA and execute an updated BAA with each subcontractor. Because of your expanded liability related to their actions under HIPAA, you may want to require them to provide you with a copy of their written policies and procedures (P&Ps) and proof of their HIPAA training for your records. BAs will also need to review and update their own P&Ps related to the use of subcontractors/independent contractors to reflect these new changes.

You cannot fix this new challenge by ignoring it or deciding not to establish a BA agreement between the BA and their BA subcontractor. The Final Rule clearly states that even if there is no written BAA, the subcontractor to the BA is subject to the same legal obligations as a BA, regardless of whether they have or have not entered into a written BAA.

This change related to subcontractor BAs also has an impact on the CEs. The scope of liability for the CE includes the actions of their BAs, and could also include the actions of their BA's subcontractor BAs. CEs that use BAs, and have allowed them to use subcontractors, should make certain their BAAs obligate their BA to require their subcontractor BAs to protect and secure any PHI received, maintained or transmitted. It would also behoove the CE to request a copy of their BA's subcontractor BAAs to assure they are indeed in place and compliant with the new Final Rule.

Other key ways CEs could demonstrate due diligence related to HIPAA compliance is to review their BA's HIPAA P&Ps and their HIPAA training materials. Be sure to file all of these materials received from each BA in case of a random HIPAA compliance audit by the Office of Civil Rights (OCR).

The Definition of Breach

If that was not enough change, the Final Rule has made a significant modification to breach notification. This is not unexpected given the number of breaches occurring in the healthcare industry and the inconsistent way the previous threshold of harm analysis was being applied by some of the organizations that had experienced a breach.

In the previously used threshold of harm analysis, the organization (CE or BA) would consider the factors related to the breach (i.e., elements of PHI involved, where did it go, who did what with it, etc.) to determine if the breach would cause the patient any significant risk of financial, reputational or other harm. If it was determined that there was no significant risk to the patient, there was no notification required to be made to the patient related to the breach.

The Final Rule has instead replaced this significant risk of harm analysis with a presumption that all impermissible uses and disclosures of unsecured PHI are breaches unless the organization can establish there is a low probability the PHI has been compromised. 

Free Webinar

The Top Five HIPAA/HITECH Compliance Gaps to Avoid

Join us Wed., May 8 and learn how to help your organization establish a culture of compliance. Register today!

Because of this change, the definition of breach was clarified in the Final Rule:

. . . an acquisition, access, use or disclosure of protected health information in a manner not otherwise permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • the nature and extent of PHI involved, including the types of identifying elements, and likelihood of re-identification;
  • the person who received the PHI or to where the disclosure was made;
  • whether the PHI was actually viewed or accessed;
  • the extent to which the risk to PHI was mitigated.

It is important to emphasize the use of encryption with PHI. The benefit of using encryption was clearly stated in the Final Rule: "If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information."  The time has come for evaluating the use of encryption of PHI within your organization. If it seems unaffordable to do this, realize that organizations that have experienced breaches have stated that the costs related to breach remediation is far greater than the cost of using encryption for their PHI.

No Time to Waste

The HIPAA Final Rule has set the bar very high for all of those who handle PHI, from the CE to the BA, to the subcontractor BA. For all of those organizations (CEs, BAs and subcontractor BAs) that have adopted a "wait and see" attitude related to HIPAA compliance, you have painted yourselves into a very small corner. The date of compliance is on the horizon. For those of you who are BAs and think no one will notice if you skimp on your path to HIPAA compliance, the OCR announced in late 2012 that random HIPAA audits will continue and be expanded to include BAs. If you handle PHI, there is no place to hide. You have major steps to follow to achieve and maintain HIPAA compliance as mandated in the Final Rule.

There is no time to waste; HIPAA compliance is not an option.

Brenda J. Hurley is the president of Hurley Makes It Happen!, a consulting company specializing in HIPAA compliance for business associates, and a member of the ADVANCE for Health Information Professionals Editorial Advisory Board. She can be reached at

Articles Archives


I have to echo Lisa's advice. First, my understanding is that these medications require a physician or other licensed practioner to order them. I am not sure about being able to bill for hangover recovery to insurance companies and receive payment.
I recommend good documentation of medical necessity for the service provided.
I would also recommend researching if there are any guidelines from medical associations, for standards of practice for hangover recovery/illness recovery. I am also very concerned as to the medical necessity for IV hydration, when PO hydration should be sufficient. The medical necessity for IV hydration would be if they are unconscious only.
Are you billing patient to pay out of pocket for IV hydration?
I hope this helped you. Good luck
Patrick Guilfoyle RN, BSN, CPC

patrick guilfoyle,  Compliance ManagerMarch 27, 2013
Tabernacle, NJ

Sherry, the following is a response from author Brenda Hurley:

I cannot comment on standards of practice for EMS; this is beyond my scope of practice. If the intention was for standards for practice for HIPAA, I am not sure from the description provided that your friend's business meets the definition of a HIPAA Covered Entity.

You can find guidance for this on the HHS website at

If HIPAA does not apply, it would be important to research the state privacy laws as they would apply since personal information would need to be collected in the course of providing services. Even if HIPAA does apply to your friend's business, state privacy laws will preempt HIPAA when the state laws are more stringent or provide greater rights to the patient.

You can Google specific state privacy laws, but here is one example of a site that could be helpful in your research

Good luck!

Lisa Brzezicki,  Co-Editor,  ADVANCEMarch 26, 2013
King of Prussia, PA

My friend is starting a new business. The concept is IV rehydration for athletic events, illness recovery and hangover recovery. He is wanting to offer Zofran, Pepcid, Toradol and B12 infused with 1 liter of lactated ringers. How can I help to make him compliant and write some Standard of practice Guidelines. Please send me as much information and I will research all . Thank You.

Sherry Amerman,  ParamedicMarch 24, 2013
Locust Grove, GA


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company