Final HIPAA rule increases penalties, liability for associates

IT companies must meet same standards as healthcare providers

HIPAA now is more restrictive in terms of how the patient information can be used for marketing purposes.

The maximum penalty for a data breach under the Health Insurance Portability and Accountability Act (HIPAA) is now $1.5 million, six times higher than the original fine under the law. That change is just one of the significant changes in the final HIPAA rule released recently by the Department of Health and Human Services (HHS).

“Much has changed in healthcare since HIPAA was enacted over 15 years ago,” said HHS Secretary Kathleen Sebelius as she announced the final rule. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”

The final rule will be effective on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of the final rule by Sept. 23, 2013. Covered entities and business associates will have up to one year following the compliance date to modify business associate agreements in accordance with the requirements of the final rule.

Under the final HIPAA rule, business associates that are trusted with protected health information (PHI) are subject to much stronger requirements and penalties. They must now adhere to many of the same HIPAA privacy and security rules as hospitals and other healthcare providers. Some of the most significant data breaches, and the largest fines, have involved business associates.

Data breach notification requirements of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act also were strengthened. HHS made it more difficult to justify a decision not to notify when a security incident occurs. Under the soon-to-expire requirements, a breach must be reported only if it poses a “significant risk of financial, reputational, or other harm to the individual.” The new rule eliminates this risk-of-harm threshold and provides instead that the unauthorized acquisition, access, use, or disclosure of protected health information is presumed to be a reportable data breach unless a covered entity or business associate demonstrates that there is a low probability that the PHI was compromised.

Maximum penalty now much higher

Violations of the data security requirements could be much more costly. Under the original rule, penalties for data breaches could cost a maximum of about $250,000, but under the new HIPAA final rule, HHS has increased the maximum penalty for noncompliance to $1.5 million per violation.

In a public statement, Leon Rodriguez, HHS Office for Civil Rights director, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates.”

Risk managers should take particular note of the change in the standard for when a provider must publicly disclose a data breach, says Andrew E. Blustein, JD, a partner/director with the law firm of Garfunkel Wild in New Jersey and Connecticut. The previous standard relied on “significant risk,” which Blustein says was a sizable threshold to cross.

“The new standard is really going to hit risk managers because, for a while at least, I think there is going to be an increase in what needs to be reported,” Blustein says. “Now HHS presumes that there has been a data breach unless you can show there is a low probability that PHI was compromised. That’s a pretty low bar. You have to prove, or demonstrate through a risk analysis, that the PHI has not been compromised.”

Blustein suspects that, under those conditions, providers will end up sending out notification letters for breaches that are relatively minor but still could be construed to meet the requirement under HIPAA. He also notes that risk managers will have to do a risk analysis in “all situations” concerning a possible data breach, unless you decide to go ahead and send the notification.

In the event of a potential data breach, covered entities and business associates must determine whether there is a low probability that PHI has been compromised by performing a risk assessment that addresses the nature and extent of the PHI involved, including the types of identifiers involved and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the information was disclosed; whether the PHI was acquired or viewed; and the extent to which the risk to the PHI has been mitigated.

“This is not easy stuff. And if you’re wrong, [reaching a conclusion other than] what the government would think, you are in a situation where you could be sanctioned by them,” Blustein says. “This is a shift. Organizations always had to do these risk analyses, but now you’ve changed the standard from significant harm to this low probability.”

Until there are more case studies and possibly guidance from HHS, risk managers will have to be conservative when analyzing possible data breaches, Blustein advises. Policies and procedures, as well as staff education, might need to be changed to reflect the new standards, he says. “You may have people on the frontline who are deciding what to report and not report based on the old standards,” he says.

Burden is on the provider

HIPAA poses more of an obligation now than ever before on hospitals, says R. Michael Scarano Jr., JD, a partner with the law firm of Foley & Lardner in San Diego.

“Before it might have been implicit, but now it’s explicit that the burden is on the covered entity to show that it was not a violation of HIPAA when you have a potential breach,” Scarano says. “Risk managers have some time to comply, but they should review their policies and procedures to make sure they’re going to be compliant with the new requirements. It’s entirely possible that you will need to do some self-assessment, policy changes, and education. Don’t squander the time you have.”

Because the final rule broadens the obligations of business associates and the definition of business associates, HIPAA is going to affect many more organizations now, says M. Leann Habte, JD, an attorney with the law firm of Foley & Lardner in Los Angeles. That change, in turn, broadens the responsibility of hospitals to ensure that their business associates are complying with the law, she says.

“In addition, you have to assess issues like whether there are any subsidies you’re receiving for marketing that could be considered compensation for PHI, and that is not always as clear-cut as you might imagine,” Habte says. “Organizations that are downstream contractors will have to do significant work to come into compliance, and you will have to have a process for ensuring that they do so in order to continue working with them.”


  • Andrew E. Blustein, JD, Partner/Director, Garfunkel Wild, Great Neck, NY. Telephone: (516) 393-2218. Email:
  • M. Leann Habte, JD, Associate, Foley & Lardner, Los Angeles. Telephone: (213) 972-4679. Email:
  • R. Michael Scarano Jr., JD, Partner, Foley & Lardner, San Diego. Telephone: (858) 847-6712. Email:

See the full final HIPAA rule at