The Department of Health and Human Services has updated the Health Insurance Portability and Accountability Act of 1996 that now holds business associates directly liable for a HIPAA violation.

The department made the changes, which would take effect on March 26, in a bid to strengthen the privacy and security of patient health records.

The liability rule will likely affects around 200,000 to 400,000 organizations that keep protected health information on behalf of the health care provider and payors.

Cloud, managed hosting, and colocation service providers fall under the business associates category.

Among the other changes is that HIPAA is no longer for voluntary compliance and is now penalty-based, with maximum fines potentially reaching $1.5 million for every provision violated.

Peter Tippett, chief medical officer and vice president of Verizon Innovation Incubator, said the changes add a twist to an already-complex HIPAA and should not be underestimated.

“Managing HIPAA is hard enough today as organizations scramble to modernize their offices as they move from paper-based record-keeping systems to electronic ones,” he added.H

Other changes to the security rules now also allow:

• patients to ask for electronic medical records in a digital format

• privacy for patients who pay in cash

• patients to provide hassle-free authorization to use their health information for research

• parents to provide hassle-free authorization to share child immunization records with schools