Solutions HIPAA Information Web Site Home | Contact Us | Search

Getting Started
Service Request
Reference Materials
Support Forum

What's this website all about?

"HIPAA - Health Insurance and Portability Act of 1996"

The purpose of this Web site is to provide informational assistance for our customers in regards to HIPAA compliance issues.  We've provided a number of old and new resources here to help you better understand, create policies and documentation, and assist you with compliance issues for HIPAA rules.

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (January 25, 2013)
All covered entities and business associates must comply by September 23, 2013.

“This final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA. We understand that some covered entities, business associates, and subcontractors remain concerned that a 180-day period does not provide sufficient time to come into compliance with the modifications. However, we believe not only that providing a 180-day compliance period best comports with section 1175(b)(2) of the Social Security Act, 42 U.S.C. 1320d–4, and our implementing provision at 45 CFR 160.104(c)(1), which require the Secretary to provide at least a 180-day period for covered entities to comply with modifications to standards and implementation specifications in the HIPAA Rules, but also that providing a 180-day compliance period best protects the privacy and security of patient information, in accordance with the goals of the HITECH Act.

“In addition, to make clear to the industry our expectation that going forward we will provide a 180-day compliance date for future modifications to the HIPAA Rules, we adopt the provision we proposed at 45 CFR 160.105, which provides that with respect to new or modified standards or implementation specifications in the HIPAA Rules, except as otherwise provided, covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. In cases where a future modification necessitates a longer compliance period, the Department will expressly provide for one, as it has done in this rulemaking with respect to the time permitted for business associate agreements to be modified.

 “For the reasons proposed, the final rule also retains the compliance date provisions at 45 CFR 164.534 and 164.318, which provide the compliance dates of April 14, 2003, and April 20, 2005, for initial implementation of the HIPAA Privacy and Security Rules, respectively. We note that 160.105 regarding the compliance date of new or modified standards or implementation specifications does not apply to modifications to the provisions of the HIPAA Enforcement Rule, because such provisions are not standards or implementation specifications (as the terms are defined at 160.103). Such provisions are in effect and apply at the time the final rule becomes effective or as otherwise specifically provided. In addition, as explained above, our general rule for a 180-day compliance period for new or modified standards would not apply where we expressly provide a different compliance period in the regulation for one or more provisions. For purposes of this rule, the 180-day compliance period would not govern the time period required to modify those business associate agreements that qualify for the longer transition period in 164.532….
“Finally, the provisions of section 13402(j) of the HITECH Act apply to breaches of unsecured protected health information discovered on or after September 23, 2009, the date of the publication of the interim final rule. Thus, during the 180 day period before compliance with this final rule is required, covered entities and business associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the interim final rule. We believe that this transition period provides covered entities and business associates with adequate time to come into compliance with the revisions in this final rule and at the same time to continue to fulfill their breach notification obligations under the HITECH Act.”

For provisions of the modifications of the Final Rule, you may access them through electronic Code of Federal Regulation links available at .
Or click on the link below that we have created for you:
Part 164 is “Security and Privacy,” and Subpart C is “Security Standards for the Protection of Electronic Protected Health Information,” and Subpart D is “Notification in the Case of Breach of Unsecured Protected Health Information,” and Subpart E is” Privacy of Individually Identifiable Health Information.”

Solutions, Inc.
2311 West 18th Street
Spencer, IA 51301

Phone : (712) 262-4520
E-Mail :


Home | Getting Started | Documentation | Processes | Service Request | Suggestions | Reference Materials | Support Forum

This information is provided to assist entities within the State of Iowa in understanding the obligations imposed by the Health Insurance Portability and Accountability Act (HIPAA). Solutions, Inc. provides no guarantees or warranties of any kind. Utilization of this information is at the sole risk of the user. As with any matter of law, independent legal counsel should be consulted regarding compliance with the requirements of the HIPAA.
Questions or problems regarding this web site should be directed to
Visit the Solutions, Inc. corporate website

Last modified: 01/02/15.
Copyright © 2005 - 2015 Solutions, Inc. All rights reserved.