Covered entities and business associates must comply by September 23, 2013

On January 25, 2013, the U.S. Department of Health and Human Services’ (HHS) omnibus rule was published in the Federal Register. The final rule amends certain rules under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the regulations implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted in 2009.

The changes in the omnibus rule provide the public with increased privacy protection and strengthens the government’s ability to enforce the law. HIPAA has primarily been focused on health care providers, health plans and other entities that process health insurance claims; however, the revisions expand many of the requirements to business associates of those entities that receive and have access to protected health information. The modifications of the omnibus rule also change the circumstances in which breaches of unsecured health information must be reported to HHS.

There are many actions covered entities and business associates need to take in order to comply with the requirements of the final omnibus rule by the September 23, 2013 deadline. 

Providers

Health care providers, health plans and other covered entities should reevaluate their practices and take the following steps:

  • review and update Notices of Privacy Practices consistent with the Omnibus Rule
  • review existing business associate agreements, and revise those agreements as necessary, consistent with the omnibus rule. Business associate agreements that were in place prior to January 25, 2013, which were in compliance as of that date, and for which the underlying contract has not been amended or renewed since March 26, 2013, do not need to be amended until the earlier of the date on which the underlying contract was amended or renewed, or September 22, 2014
  • identify whether other persons or entities with which the covered entity has a relationship are now to be considered “business associates,” given the revised definition of “business associate” under the omnibus rule
  • enter into new business associate agreements as necessary, given the conclusions reached above
  • educate and train personnel regarding HIPAA and HITECH compliance, including new breach reporting provisions
  • review, and amend, current protocol for the possible breach of protected health information (PHI), including procedures for evaluating whether a breach has occurred and processes for breach reporting

Business Associates

Individuals and entities who are not covered entities should determine whether they will be implicated under the revised definition of “business associate.”  Under the HITECH Act and the final omnibus rule, business associates are directly liable for certain actions or omissions, such as:

  • the use or disclosure of PHI in a manner that is not in accordance with its business associate agreement or with HIPAA’s privacy rule
  • failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request
  • failure to disclose PHI to HHS, when required by HHS
  • failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf

In order to comply with the requirements of the final omnibus rule, business associates should, at a minimum:

  • designate a privacy and security compliance officer to be responsible for the development and implementation of policies, procedures and compliance with the administrative safeguards required by HIPAA
  • implement written policies and procedures regarding HIPAA compliance and security
  • conduct a risk management assessment to determine compliance and risks, prepare documentation of that assessment, and develop a risk management plan
  • review, and amend, current protocol for the possible breach of protected health information (PHI), including procedures for evaluating whether a breach has occurred and processes for breach reporting
  • educate and train personnel regarding HIPAA compliance, including new breach reporting provisions
  • identify covered entities with whom the business associate does business and review business associate agreements
  • identify subcontractors with whom the business associate does business and whom have access to PHI, and confirm that adequate business associate agreements have been executed with those subcontractors

Each case a business or individual may face is unique and may require legal advice. This article does not constitute, and should not be considered, legal advice. You are urged to consult with an attorney on your own specific legal matters.