Legal Bulletins

Background hero atmospheric image for HIPAA – New Rules/New Forms

HIPAA – New Rules/New Forms

Earlier this year, the federal government revised its regulations implementing the Health Insurance Portability and Accountability Act (HIPAA). The changes impact both health care providers and those of their vendors, contractors and subcontractors (i.e., “business associates”) who access patient information. Complying means revising key forms, agreements, and policies and procedures before a September 23, 2013 deadline. Mandatory revisions include:

  1. Business Associate Agreements – These agreements, in which a business associate agrees to protect the security and privacy of patient information, are now mandatory for all “downstream” health care subcontractors who access patient information on behalf of an insurer or health care provider. The agreements themselves must contain new language, including a mandate that all business associate subcontractors will similarly sign a business associate agreement.
  2. Breach Response Policies – Providers or their contractors must report to affected patients and to the government certain “breaches” of the security or privacy of patient information. The new rule has enlarged the meaning of “breach” to include a wider range of potentially improper uses or disclosures. Policies and procedures for responding to a potential breach must now be revised to reflect the new breach definition.
  3. Notices of Privacy Practices - Patients have new HIPAA privacy rights regarding genetic information, marketing, breach notification, and self-pay procedures. Providers must revise their notice of privacy practices to alert patients to these rights.
  4. Mandatory Audits - Business associates must now audit themselves to identify and to mitigate risks to the security and privacy of patient information.

Gordon Feinblatt has drafted form business associate agreements that satisfy the new HIPAA regulations. Gordon Feinblatt can also help amend your notice of privacy practices and policies and procedures.

For help coping with the mandatory changes, or if you have any other HIPAA questions, please contact:

Barry Rosen




Jonathan Montgomery