On September 23, 2013, the myriad changes to the HIPAA Privacy and Security Rules, published on January 25, become enforceable. Covered entities have a lot that must be accomplished before that deadline, including updates to their Notice of Privacy Practices, policies and procedures, and employee training. They also need to ensure that they had a HIPAA compliant business associate agreement in place with all business associates as of January 25. If not, a new agreement must be in place by September 23 that complies with the omnibus rule. All other agreements must be updated by September of 2014.
Business associates and subcontractors that do not already have a robust HIPAA compliance program in place have a lot of work to do by the deadline. The tasks the business associates and subcontractors must complete include, among other things:
- Conducting a documented risk analysis relating to the security of electronic protected health information;
- Appointing a Security Official;
- Developing or updating HIPAA policies and procedures related to each applicable HIPAA requirement;
- Ensuring that HIPAA-compliant business associate agreements are in place with covered entities and subcontractors; and
- Conducting employee training.
More information is available at these links: