Healthcare providers, health insurers and other “covered entities” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act face a September 23 deadline to comply with the provisions of the Omnibus Final Rule, released by the U.S. Department of Health and Human Services (HHS) in January. The rule made significant modifications to HIPAA and HITECH’s privacy and security protections for individuals’ protected health information (“PHI”), and strengthened the federal government’s enforcement authority.
Among other changes, the Final Rule expanded many of the requirements applicable to business associates that receive PHI from covered entities. Covered entities that did not have a business associate agreement (“BAA”) in place by January 25 of this year that complied with the prior HIPAA and HITECH regulations must enter into a new agreement by September 23 that complies with the Final Rule. Entities that had a HIPAA-compliant BAA in place as of January 25 may continue operating under their existing agreement until September 23, 2014, as long as the BAA was not revised or renewed between March 26 and September 23, 2013. HHS has posted sample BAA provisions on its website but the language of any BAA should be customized to reflect the relationship between the parties and perhaps to add additional provisions.
The Final Rule also strengthens the requirements of HIPAA’s Breach Notification Rule, which changes must be incorporated into BAAs, and increases the potential penalties for noncompliance with HIPAA and HITECH to as much as $1.5 million per violation. The Final Rule also expands individual patients’ rights under HIPAA (including setting limits on how their PHI may be used and disclosed for marketing and fundraising purposes) and requires that providers’ Notices of Privacy Practices be amended by September 23, 2013.
HIPAA covered entities and their business associates should make every effort to comply with the Final Rule by the deadline because in the event of a data breach or other violation, financial penalties will likely be far more severe for those that have not complied.