Are You Ready for the HIPAA Omnibus Rule?

As of Septemer 2013, covered entities and business associates must take action to come into compliance with the new Omnibus Rule.

COVERED ENTITIES

To comply with the HIPAA Omnibus Rule requirements, covered entities (health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses) should consult with an attorney to:

1.         Review, Revise and Update Business Associate Agreements (BAAs)

  • Covered entities must have BAAs with their business associates. These BAAs must contain “satisfactory assurances” that the business associate will appropriately safeguard PHI.[1]
  • Because the HIPAA Omnibus Rule includes new types of entities in the definition of “business associate,” covered entities should review their existing business relationships to determine whether BAAs will be necessary.
  • Terms of BAAs should be revised to reflect new requirements.
  • Most BAAs must be revised or updated by September 23, 2013. However, the deadline is extended to September 22, 2014 if certain requirements are met.

2.         Revise and Redistribute Notice of Privacy Practices

  • Notice of Privacy Practices must be revised to contain statements reflecting permissible disclosures of PHI, individuals’ rights with respect to PHI, and covered entities’ duties. The Notice must also contain instructions for filing complaints.
  • Revisions must be made, and copies of revised notices must be posted and made available to patients, by September 23, 2013.
  • Covered entities that have websites must post the revised notice prominently on the site and make it available electronically through the site.

3.         Review, Revise, and Implement Privacy and Security Policies and Procedures

  • Covered entities must implement policies and procedures to insure compliance with provisions regarding breach notifications, use and disclosure of PHI, expanded protection for individual rights, and other Omnibus Rule provisions.
  • Employees must be trained to follow and implement revised policies and procedures.

BUSINESS ASSOCIATES

Under the Omnibus Rule, business associates of covered entities are directly liable for HIPAA compliance and are subject to penalties for violations. Business associates should do the following to ensure compliance with the new rule:

1.         Review, Revise, and Update Business Associate Agreements (BAAs)

  • Business associates must have BAAs with 1) covered entities and 2) certain “downstream” subcontractors. These BAAs must contain “satisfactory assurances” that the business associate or the downstream subcontractor will appropriately safeguard PHI.
  • Because the HIPAA Omnibus Rule includes new types of entities in the definition of “business associate,” entities that have business relationships with covered entities, or entities that are “downstream” from business associates, should determine whether they are “business associates” according to the Omnibus Rule.
  • Entities become business associates by virtue of their actions, not by virtue of signing a BAA. Therefore, if an entity fits the definition of business associate, but does not have a BAA in place, the entity is in violation of HIPAA.
  • Terms of existing BAAs should be revised to reflect requirements of the Omnibus Rule.

2.         Review, Revise, and Implement Privacy and Security Policies and Procedures

  • Business associates must implement policies and procedures to insure compliance with provisions regarding breach notifications, use and disclosure of PHI, expanded protection for individual rights, and other Omnibus Rule provisions
  • Workforce members must be trained to follow and implement revised policies and procedures.

If you need help or have any questions about compliance with – and implementation of – the new, more stringent HIPAA Omnibus Rule, call Feldman Kieffer today at 716-852-5875, or email us at this link.


[1] 45 CFR § 164.308(b) (2013).

Social tagging: >

Comments are closed.