Privacy & Information Security Law Blog

Today, September 23, 2013, marks the deadline for compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Omnibus Rule that was issued in January 2013. Covered entities, business associates and subcontractors that access, use or disclose protected health information (“PHI”) will need to take the following actions:

For Covered Entities:

• Review and modify HIPAA privacy policies and procedures to address the new definition of “marketing” in the HIPAA Privacy Rule and to comply with the expanded rights of individuals with respect to their PHI;
• Evaluate which service providers need to sign a business associate agreement (“BAA”) with the entity;
• Revise BAAs to comply with the content requirements in the Final Omnibus Rule;
• Develop incident response plans to comply with the new requirement that a four-factor risk assessment be performed for any potential breaches of PHI; and
• Change the notice of privacy practices to be distributed to individuals.

For Business Associates:

• Draft and implement policies and procedures that comply with HIPAA Security Rule requirements;
• Revise BAAs as necessary to comply with the content requirements in the Final Omnibus Rule;
• Evaluate all subcontractors and enter into written contracts that are substantially similar to BAAs with any subcontractor that has access to PHI;
• Develop policies and procedures to comply with the “minimum necessary” standard in the HIPAA Privacy Rule; and
• Develop incident response plans to comply with the new requirement that a four-factor risk assessment be performed for any potential breach of PHI.

For Subcontractors to Business Associates:

• Draft and implement policies and procedures that comply with the requirements of the HIPAA Security Rule;
• Develop policies and procedures to comply with the “minimum necessary” standard in the HIPAA Privacy Rule; and
• Develop incident response plans to comply with the new requirement that a four-factor risk assessment be performed for any potential breach of PHI.

Although most requirements of the Omnibus Rule have a September 23, 2013 compliance deadline, BAAs are subject to a slightly different compliance deadlines. BAAs that were entered into prior to January 25, 2013 (and not renewed or modified from March 26, 2013 to September 23, 2013) will not need to be updated until the earlier of (1) the date the BAA is renewed or modified on or after September 23, 2013, or (2) September 22, 2014.