Last week the U.S. Department of Health and Human Services (HHS) released final regulations modifying existing HIPAA enforcement, privacy and security regulations. Although a number of the changes merely serve as clarification of existing regulations, the modifications impose a number of new requirements on covered entities and business associates.

Some of the important issues addressed in the new rules include the following:

  • Clarification of the definition of a privacy breach;
  • Adoption of risk assessment factors to be taken into consideration in conducting a breach analysis;
  • Modifications to the limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
  • Modifications regarding business associates including changes to the definition of a business associates and when business associates may held directly liable for violations;
  • Modifications to the required terms in business associate agreements; and
  • Modifications that covered entities are required to make to their Notices of Privacy Practices.

The new regulations take effect on March 26, 2013 and covered entities and business associates have until September 23, 2013 to comply. The regs were published in the Federal Register on January , 2013 and can be viewed here Federal Register.

Check back for more detail on the required business associates and NPP changes.