Significant changes in HIPAA regulations that took effect in September spurred a flurry of activity at hospitals.

Changes to the privacy law include an expansion of the liability for selected vendors and subcontractors of organizations covered by HIPAA; tightened rules as to what constitutes a reportable breach of the law; and added requirements to update public patient-privacy rights reporting.

A big practical change for hospitals concerns the expanded liability of vendors, known as business associates, with access to protected health information. They assume direct liability under the new rules, which required revised agreements with hospitals.

Changes that affect hospitals operationally are in determining what constitutes a reportable breach of HIPAA. Now a patient health-related event is presumed to be reportable unless the covered entity can demonstrate it was not important enough to warrant reporting, experts say. Previously, there was no such presumption.

The technical revision to HIPAA requires changes to hospital policies and to patient processing. As of Sept. 23, patients can require that their insurer not be notified of a procedure or treatment if patients pay for the care themselves. This necessitates significant staff education regarding the patient's new right to do that.

All of the changes require that staff be educated and that public HIPAA notices be updated, with the old notices taken out of circulation.