The U.S. Department of Health and Human Services has adopted a new rule concerning privacy and security for health information, to take into account changes that have occurred in health care since enactment of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Some of the key features in the 563-page final rule are outlined below.

Privacy notices given by covered entities, such as health-care providers and health plans, must now include a statement about a patient’s right to restrict the disclosure of his or her health information when paying out of pocket for the service.

“Downstream” business associates of covered entities are also covered by the new HIPAA rule. Thus, such subcontractors as billing and phone services, document and data storage companies, and other such entities whose functions involve the disclosure of protected health information are subject to liability for violations and the potential for agency enforcement action and penalties. This aspect of the new rule was meant to prevent covered entities from effectively skirting their HIPAA obligations by farming tasks out to subcontractors.

Before the new rule, a breach had to be reported to a patient if it posed a significant risk of financial, reputational, or other harm to the individual. Now, if health information is compromised, a data breach is presumed, with the attendant notification requirements, unless there is a low probability that the protected information was in fact compromised.

Factors to consider as to whether a breach must be reported are the nature and extent of the information, the person to whom the data was disclosed, whether that person actually viewed it, and whether the risk was mitigated in some manner.

While patients already had a right to a copy of their health records, the new rule changed the default form of production from a hard copy to an electronic copy when the information is maintained electronically. Entities may charge a reasonable fee for providing the information, and now the information must be provided within 30 days of the request.

The new final rule took effect on March 26, 2013, and compliance with all applicable requirements must occur by September 23, 2013.