HIPAA’s New 
563-Page 'Mega-Rule'

On January 25, 2013, the Department of Health and Human Services (HHS) launched its 563-page HIPAA “mega-rule” and commentary. This leviathan changes HIPAA’s Privacy, Security, and Enforcement regulations, previously mandated by the HITECH Act. It also is a game-changer for HIPAA breach notification.

The mega-rule goes into effect March 26, 2013. Physicians must comply with it by September 23, 2013, or face potential civil and administrative penalties. Two notable provisions that will affect physicians are the updating and redistributing notice of privacy practices and the New Standard for Breach Notification.

Updating and Redistributing Notice of 
Privacy Practices

Since the onset of HIPAA’s Privacy Rule in 2003, physicians have been required to give patients, at their first visit, a Notice of Privacy Practices (NPP), which describes the office’s policies for permissible use and disclosure of patient Protected Health Information (PHI), and informs patients of their rights concerning their PHI. For many offices, NPPs have remained basically the same for the last decade.

The new regulations require physicians to update their NPPs to include a description of certain types and uses and disclosures that require patient authorizations. NPPs also must inform patients how they may access their PHI electronically, along with their right to restrict disclosure of their PHI to a health plan if they pay for medical services entirely out-of-pocket.

NPPs need to include a statement that the practice may disclose relevant PHI of a deceased patient to a family member, friend, or representative (even absent probate) if that family member or person had been involved in the patient’s care or payment before death, unless disclosure would be inconsistent with the patient’s express wishes to the practice. Practices must also apprise patients that they will be notified if a breach of unsecured PHI occurs. Physician offices are required to redistribute their new NPPs to patients.

New Standard for Breach Notification

The unauthorized use or disclosure of unsecured PHI — paper or electronic — can result in a HIPAA violation or breach. 
A breach is the more serious offense that can result in steeper penalties. Under the old regulations, a violation of HIPAA’s Privacy Rule did not presume a breach unless the unauthorized use or disclosure of PHI posed a “significant risk” of financial, reputational or other harm to the patient. The new regulations flip the old standard by creating a presumption that the unauthorized acquisition, access, use or disclosure of PHI will constitute a breach, unless the physician is able to demonstrate that a “low probability” exists that PHI has been compromised with harm to the patient, based on an objective risk assessment.

Risk assessment factors include:

  • The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification
  • Unauthorized persons who used the PHI or to whom disclosure was made
  • Whether PHI actually was acquired or viewed
  • Extent to which the risk to PHI has been mitigated

The Office of Civil Rights, which is charged with enforcing the new regulations, observed that the more sensitive the information, the more likely a breach has occurred. In that event, physician practices are legally obligated to notify patients and take steps to mitigate damage. Practices also must notify HHS, which will investigate and likely impose stiff penalties.

Physicians need to dust off their old HIPAA policies and NPPs, review them with legal counsel, and update them to meet these new requirements aimed at safeguarding patient privacy in a brave new post health care reform world.


About the Author

Joe Feltes is an attorney with Buckingham, Doolittle & Burroughs in Canton, OH, and a member of its Health & Medicine Practice Group. Feltes is also the managing partner of Buckingham Canton. For more information about the law firm, go to or email Feltes at





Sign up to receive industry news and events from MD News.

* indicates required