HIPAA White Paper





This paper briefly outlines some of the key changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Omnibus Final Rule. The Final Rule imposes new obligations and direct liability on business associates to comply with HIPAA’s Security and Privacy Rules. Covered entities and business associates have until September 23, 2013 to become fully compliant under the Final Rule.


It is the policy of MerusCase to be in strict compliance under HIPAA, the Final Rule, and other applicable state law. Because the MerusCase team works around the clock to ensure complete privacy of all client information, regardless of nature, you can rest assured that your data is safe, your clients are protected, and your firm maintains regulatory compliance.


Brief Overview of HIPAA Final Omnibus Rule


The long-awaited HIPAA Final Omnibus Rule (Final Rule), which went into effect on January 25, 2013, by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), greatly enhances patients’ privacy protection, provides individuals new rights to their personal health information, redefines breach and strengthens the government’s ability to enforce the law. When the Final Rule was passed in January, HHS Secretary Kathleen Sebelius stated “Much has changed in health care since HIPAA was enacted over fifteen years ago.” The Secretary also stated that, “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital stage.”


To help safeguard against the breach of personal medical information, the HIPAA set standards for medical privacy that went into effect in 1996. The American Recovery and Reinvestment Act (ARRA), signed by President Obama in February 2009, established privacy requirements, which were hailed by many experts as the most sweeping change to the healthcare privacy and security environment since the original HIPAA Privacy rule.


The Health Information Technology for Economic and Clinical Health (HITECH) Act sought to streamline healthcare and reduce costs through the use of health information technology, and the healthcare industry had to comply with the HIPAA Privacy and Security Rules by establishing a risk management process and conducting annual risk assessments.


The Final Rule affects almost every aspect of patient privacy and data security, as well as who is now subject to compliance under the Final Rule. In terms of the most significant change in the Final Rule for risk managers, the Final Rule contains significant new obligations for socalled business associates and their subcontractors that  o business with covered entities.


Changes to the Definition of “Business Associate”


One of the most significant changes is the HHS’ expanded definition of “business associates” and the imposition of direct liability to business associates of covered entities for noncompliance with certain of the HIPAA Privacy and Security Rules. Moreover, under the current Rule, a person becomes a business associate by definition, not by the act of contracting with a covered entity. Unlike the previously narrower definition of business associate, the definition of a business associate was expanded to cover any entity that creates, receives,  maintains, or transmits protected health information (PHI) for a function or activity regulated by HIPAA, which  includes claim process, or administration, data analytics, processing, as well as other categories. Health information organizations, e-prescribing gateways, and other persons that provide data transmission services with respect to PHI and require “routine access” to PHI, are also covered.


Another change is that the definition of business associate now includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate. According to the preamble in the Final Rule, this includes agents of companies that are not under contract, as well as persons who act on behalf of the business associate. The change also creates downstream liability for the subcontractors.


Security Rule Applies Directly to Business Associates


The Security standards were also modified to include business associates expressly, with direct liability for violations. There were also certain changes made to the section that addresses routine maintenance. Requirement for administrative safeguards was also updated to cover business associates.


Agreements with Business Associates


Under the Final Rule, a covered entity is not required to obtain satisfactory assurances from a business associate that is a subcontractor. Rather, business associates are required to obtain satisfactory assurances that the subcontractor will properly safeguard information if the subcontractor is to create, receive, maintain, or transmit electronic PHI on behalf of the business associate. This directly imposes the burden regarding subcontractors on the business associate, rather than the covered entity.


Administrative, Physical and Technical Safeguards


Under the Final Rule, business associates are directly required to comply with administrative, physical and technical safeguards in order to address specific security issues and solutions implemented as they relate to transmitting and storing patient data. Safeguard procedures include the following:


Administrative Safeguards

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedures
  • Contingency Plan
  • Evaluation
  • Business Associate Contracts and Other Arrangements

Physical Safeguards

  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Controls

Technical Safeguards

  • Access Controls
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security


The HIPAA security standards do not specify specific technology requirements, so each affected organization must assess its own risk and develop security measures accordingly. Organizations must then certify their security programs though an internal procedure or by a private accreditation company. Thus, to be in full compliance with the HIPAA Security Rule and ensure Administrative, Physical, and Technical Safeguards are implemented that will lead to HIPAA compliance, a comprehensive and effective information security program is necessary.


Breach Notification Rule


Under the Final Rule, business associates must conduct an incident risk assessment of every data security incident involving PHI. However, instead of determining the risk of harm, the risk assessment determines the probability that PHI has been compromised. The factors that should be considered in the making of the risk assessment include:


  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health   information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired  or viewed; and
  • The extent to which the risk to the protected health information  has been mitigated. 


Privacy Rule Applies Directly to Business Associates


The Final Rule also applies parts of the Privacy Rule directly to business associates. Most notably, business associates must not use or disclose PHI, except as permitted under the Privacy Rule. Business associates may not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity.  usiness associates must disclose PHI to HHS to investigate or determine compliance, and must disclose PHI to the covered entity, individual or individual’s designee as necessary to satisfy a covered entity’s obligations to  espond to an individual’s request for an electronic copy or electronic PHI.


Business associates must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when using, disclosing or requesting PHI. Finally, business associates must directly enter into a business associate agreement with a subcontractor that creates, receives, maintains, or transmits PHI on the business associate’s behalf. Finally, under the Final Rule, business associates are subject to the HIPAA Breach Notification Rule, which imposes a duty on business associates to notify covered entity of a breach of unsecured PHI.


Planning for Compliance


The Final Rule puts renewed pressure on covered entities and new burdens on business associates to act now to achieve compliance with HIPAA and breach notification requirements. With the strengthened enforcement powers by the OCR, business associates and healthcare organizations need to demonstrate and document this compliance. There are five immediate steps that can be taken to provide a comprehensive foundation for compliance under the Final Rule:


  • Clearly define a policy-driven security management program that  can be incorporated into your business processes - Identify and designate the people and the technology controls necessary to satisfy the company’s security policies and procedures. 
  • Conduct a complete risk assessment – First identify all PHI and  determine the risks to PHI security that exist within the company  and spell out all the controls you have in place for safeguarding PHI.
  • Conduct a comprehensive HIPAA Security Assessment to ascertain your current security state of affairs.
  • Validate security controls – Provide for the monitoring and reporting of controls on personnel actions, process controls, and  information technology controls. 
  • Create a plan to mitigate major risks.
  • Carry out, monitor, and document annual privacy and security risk assessments, including risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
  • Clearly identify, manage, and document compliance of business associates and their downstream subcontractors.
  • Define and document your method for the security incident risk assessments that determine if an incident is a reportable breach or not. Demonstrate that the proper steps were taken to correct systems and adjust policy if a noncompliance is identified. 
  • Ensure that all employees and management are trained on their roles and responsibilities with respect to the Security Rule and PHI.
  • Maintain an ongoing program for monitoring, auditing, and reporting of the operational processes for HIPAA Compliance. 




The Final Rule significantly strengthens HIPAA enforcement, which should be of great concern to business associates and subcontractors. The OCR has become much more aggressive in the last couple of years in enforcing HIPAA and now has even greater enforcement power at its disposal. Thus, it is imperative that business associates have policies and procedureds in place to ensure compliance. MerusCase adheres to the policies and procedures within MerusCase’s HIPAA Compliance Policy Manual, and will continue to achieve further compliance under the Final Rule to further enhance and increase safeguards to protect the privacy of all client information.




  1. 78 Fed. Reg. 5566 (Jan. 25, 2013) http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
  2. HIPAA Business Associate Agreement is available in the Forms & Template section within MerusCase. It will automatically include your firm information where applicable as all MerusCase forms do.




Download a copy of our HIPAA White Paper (Requires Adobe Acrobat).