Monday, September 23, 2013 is an important HIPAA compliance deadline because the changes made under the final HIPAA “omnibus” rule (the “Omnibus Rule”) become effective on this date.  Generally, the Omnibus Rule makes a number of changes to the rules regarding business associates, breach notification obligations, and HIPAA enforcement.  As a result, employers sponsoring group health plans and health care providers (i.e., “covered entities” under HIPAA) should review and update their HIPAA-compliance materials.

The following summarizes a few of the most significant changes under the Omnibus Rule:

  • Required Changes to Notices of Privacy Practices (“NPPs”).  The Omnibus Rule includes required changes to NPPs, including a notification to individuals that they have the right to be notified following a breach of their protected health information (“PHI”).  If an employer posts its NPP on its website, the revised NPP is required to be posted by September 23, 2013, and a hard-copy of the revised NPP is required to be included in the employer’s next annual mailing to participants.  Health care providers should update their NPPs by September 23, 2013 and post and distribute the revised NPPs as required under HIPAA.  Please see our recent Client Alert regarding HHS’ release of model HIPAA NPPs.
  • Required Updates to Business Associate Agreements (“BAAs”).  The Omnibus Rule includes required changes to BAAs, including a provision regarding the breach notification obligations of the parties.  For new business associates, BAAs must be updated by September 23, 2013.  For BAAs that existed as of January 25, 2013, the compliance deadline is one year later – September 23, 2014.
  • Updates to HIPAA Policies and Procedures and Workforce Training.  Employers and health care providers should re-visit their HIPAA privacy and security policies and procedures to ensure that they are updated based on the changes made under the Omnibus Rule.  For instance, employers and health care providers should ensure that they have implemented policies and procedures on how to handle breaches of unsecured PHI.  Employers and health care providers should also perform updated workforce training so that employees with access to PHI are aware of the changes under the Omnibus Rule, including how to identify and assess a potential breach of PHI.