*HIPAA Summary of 2013 HIPAA Omnibus Changes Logo

  • Business Associates (BAs): Makes BAs of covered entities directly liable for compliance with certain HIPAA privacy and security rule requirements.
  • Marketing and Fundraising: Strengthens the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization, in most cases.
  • Notice of Privacy Practices: Requires modifications to, and redistribution of, a covered entity’s notice of privacy practices.
  • Child Immunizations: Modifies the individual authorization so that disclosure of child immunization proof to schools that are required by their state law to have such information may be authorized by phone, as long as the verbal authorization is noted in chart.
  • Decedent Records: Enables access to a decedent’s PHI by family members or others who provided care, or payment of medical bills, absent any known contrary wish of the decedent; also makes all decedent records available to anyone (i.e., the information is no longer PHI) 50 years after death.
  • Enforcement: Adopts the additional HITECH Act enhancements to the Enforcement Rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

Please review our Notice of Privacy Practices.

For more information, visit the official central governmental hub for all HIPAA issues including rules, standards and implementation guides.