The HIPAA Privacy Rule and portions of the HIPAA Security Rule were dramatically amended by an omnibus rule published by the Department of Health and Human Services in January 2013. Highlights of the changes that need to be made by covered entities (CE) and business associates (BA) are:

  • Changes to the Notice of Privacy Practices (NPP) and medical records release forms. In particular the NPP needs to apprise the individual that they will be informed if their protected health information (PHI) is breached;
  • Business associate agreements (BAA) need to reflect that BAs are now directly liable for compliance and enforcement of HIPAA rules and indicate that BAs will obtain written assurance of compliance from downstream contractors and vendors; and
  • BAs must put into place policies and procedures for compliance with privacy and security rules.

The deadline for CEs and BAs to come into compliance with the new rules is September 23, 2013. CEs and BAs must start to do the following:

  • Modify BAAs and policies and procedures to reflect changes to the breach notification rules, which includes ensuring the new four factor risk assessment is met;
  • Modify BAAs and policies and procedures to address the prohibition on the sale of individuals PHI without permission;
  • Modify and implement new policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities;
  • Modify BAAs and policies and procedures to address the expanded rights of individuals to restrict disclosures of PHI;

Modify BAAs and policies and procedures to address expanded rights of individuals to receive copies of their PHI, including electronically; and

  • Make sure personnel are trained on new requirements and updated policies and procedures. Companies should consider the following to ensure compliance by the September 23, 2013 deadline:
  • Implementation or review of an existing HIPAA Privacy Policy Manual, including policies and procedures and forms such as the NPPs and releases of health information form;
  • Preparation of a new or revised BAA form (which includes, but is not limited to, addressing downstream contractors);
  • Implementation or review of an existing HIPAA Security Policy Manual, including guidance for performing a risk assessment and model polices; and
  • Implementation of workforce training.

Chad Ehrenkranz