►        Adopt a revised Notice of Privacy Practices, incorporating the changes outlined below.  The revised Notice should be posted in a prominent location in your office and on your practice website, if you have one.  It is not necessary to distribute a copy of the revised Notice to all existing patients.  The new Notice may be provided to existing patients upon request only.  However, on or after September 23, 2013, all new patients should receive an individual copy of the revised Notice and an acknowledgment should be requested. 

►        Adopt a revised HIPAA Policies and Procedures, incorporating changes outlined below, no later than September 23, 2013.   This is an internal practice document that does not need to be shared with patients.

►        Enter into a new Business Associate Agreement with all existing vendors and contractors who have access to PHI as part of their work for you.  Please note that the Final Rule provides for a one-year extension to update all pre-existing BAAs – until September 22, 2014.  Please see below for a more detailed description of the extended compliance deadline.  Please use the updated model BAA with all new vendors and contractors going forward. 


The following is a summary of key changes of interest to psychiatrists: 

Business Associates

Under the Final Rule, the HIPAA privacy, security and enforcement rules now apply directly to business associates and business associates will be directly liable for noncompliance.  In addition, the definition of business associate has been expanded to include patient safety organizations, health information organizations, and subcontractors of business associates.  Any person or entity that acts on behalf of a business associate will be considered a subcontractor of a business associate, regardless of whether a contract is in place between the subcontractor and the covered entity. 

Business Associate Agreements

In connection with the issuance of the Final Rule, HHS has published an updated model Business Associate Agreement (BAA) and NYSPA has updated its model BAA to conform to the new HHS version.  A copy of the NYSPA model BAA will be made available for download in the HIPAA section of the NYSPA website.  All members must update their BAA's accordingly. 

There is a one-year extension for all existing BAA's entered into prior to January 25, 2013, as long as they are not renewed or modified between March 26, 2013 and September 23, 2013.


These existing BAAs shall be deemed to be in compliance until the earlier of (i) September 22, 2014 or (ii) the date the BAA is renewed or modified (during the one-year extension period, i.e., 9/23/13 through 9/22/14). 

Please note:  If an existing BAA is modified between March 26, 2013 and September 23, 2013, the extension if no longer applicable and the new model BAA must be used.

Notice of Privacy Practices

The Final Rule requires that all Notices of Privacy Practices (NPP) include specific language about the types of uses and disclosures that require patient authorization, including psychotherapy notes, marketing and the sale of PHI, as well as the statement that any other uses or disclosures not described in the NPP will be made only upon patient authorization.  As a result, NYSPA has updated its model NPP to conform to these new requirements and the revised version will be made available in the HIPAA section of our website. 

PHI About Decedents

The Final Rule confirms that HIPAA does not apply to the individually identifiable health information of persons deceased for more than 50 years.  Further, the Final Rule now permits  covered entities to disclose a decedent's PHI to family and others involved in the decedent's care prior to death, unless doing so would be inconsistent with a known preference expressed by the decedent.

Restrictions on Disclosures

The Final Rule states that a provider must comply with a patient's request to restrict the disclosure of information if the information is to be sent to a health plan for payment or health care operations purposes and the patient has paid the provider in full (unless the disclosure is otherwise required by law). 

Access to Information in Electronic Format

The Final Rule confirms that if a provider maintains an electronic health record, patients may request an electronic copy of their health information or may have the information transmitted electronically to a designated recipient.  Document production fees may not be greater than the associated labor cost. 

Marketing and Health Care Operations

Under HIPAA, marketing refers to a communication about a product or service that encourages recipients to purchase or use the product or service.  Normally, a covered entity is required to obtain patient authorization prior to making a marketing communication.  However, if certain conditions are met, the marketing communication will come under the umbrella of health care operations activities and may be made without patient authorization.

However, the Final Rule clarifies that any and all treatment communications subsidized by a third-party will be considered marketing activities and will require patient authorization.  The authorization form must clearly state that the marketing communication will result in remuneration to the covered entity. 

Breach Notification

The Final Rule amends the definition of the term "breach" to state that an impermissible use, access or disclosure is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that PHI has been compromised based on a risk assessment of at least the following factors: (i) the nature and extent of the PHI involved; (ii) who gained access to the PHI; (iii) whether the PHI was actually acquired or viewed and (iv) the extent to which the risk to the PHI has been mitigated.  In this case, HHS determined that the previous "risk of significant harm" standard may have been interpreted by some parties as setting a higher threshold for breach notification than originally intended.

Enhanced Enforcement Activities

The Final Rule establishes enhanced civil money penalties as follows:

Violation Category

Penalty for Each Violation

Did not know


Reasonable cause


Willful neglect - corrected


Willful neglect – not corrected



In addition, the Final Rule clarifies that no penalties will be assessed with respect to a violation that is timely corrected, as long as there is no willful neglect.  In addition, business associates will now be directly liable for civil money penalties in connection with HIPAA violations.