Medical offices and other businesses that are subject to the federal HIPAA medical-privacy law will have to comply with some new rules from Congress.

The changes include:

► If a breach of privacy occurs, you must now notify the affected individuals within 60 days. (Before, you only had to try to limit the negative effects of a breach.) If the breach affects more than 500 people, you must report the incident to the U.S. Department of Health and Human Services and the media. If 10 or more affected people can’t be contacted directly, you must post the information conspicuously on your website.

► “Business associates” of medical offices are now covered, such as third-party administrators who help an office administer its health plan.

► Patients now have greater rights to keep certain information private, such as medical records and drug counseling, and can demand a more detailed accounting of how their health information is being used.

► The government is now required to audit a certain number of medical offices. (Before, it was merely allowed to do so, but didn’t have to.) In addition, the maximum fines are increased to $1,000 per violation (up from $100) and $100,000 per year (up from $25,000). The fines apply to business associates as well.

Some of the new provisions take effect immediately, while others take effect next year.