The Final Omnibus HIPAA/HITECH Rule: Will You Be Compliant By September 23, 2013?
If your organization handles protected health information (PHI), as defined by HIPAA, September 23, 2013 is a critical date. That is the deadline for covered entities (i.e., healthcare providers, health plans, employer-sponsored health plans and health care clearinghouses) and business associates to comply with final HIPAA regulations (the Final Rule), issued in January of this year by the Department of Health and Human Services, Office for Civil Rights (OCR). The Final Rule implements changes to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.
The Final Rule also extends the reach of HIPAA to confer business associate status on a broader range of individuals and organizations that directly or indirectly service covered entities in the healthcare industry or group health plans of employers in any industry. For example, health information organizations, medical record storage companies and downstream contractors/service providers of business associates that handle PHI are just some of the entities that will become subject to HIPAA as business associates, and be required to comply with HIPAA by September 23, 2013. For more information about entities that qualify as business associates and the obligations of business associates under the Final Rule, click here.
To comply with requirements imposed by the Final Rule, covered entities and their business associates must take a number of actions, several of which are listed below:
- Covered entities and business associates must update their HIPAA policies and procedures to incorporate changes imposed by the Final Rule and train their workforce members on the new HIPAA standards;
- Both covered entities and business associates must identify contractors, subcontractors and other entities that now qualify as business associates under the Final Rule. Existing Business Associate Agreements must be updated to comply with the Final Rule by September 23, 2013 (unless they meet criteria for a one-year extension), and new Business Associate Agreements must be put in place for all contractors who will now qualify as business associates under the Final Rule’s expanded definition;
- Business associates must comply with all aspects of the HIPAA Security Rule and have policies and procedures in place to evidence compliance;
- Covered Entities must update, post and distribute or re-distribute a Notice of Privacy Practices that includes changes imposed by the Final Rule; and
- Both covered entities and business associates must change their breach notification policies and procedures for determining when patient or governmental notice of a breach of unsecured PHI is required. For more information on changes to the breach notification requirements under the Final Rule, click here.
Stepped Up Enforcement
OCR, the agency responsible for enforcing HIPAA, has stepped up its audit and enforcement activities as evidenced by steep penalties recently imposed for breaches and noncompliance with HIPAA. Non-compliance with HIPAA can result in civil monetary penalties of up to $1.5 million per identical violation per year.
To properly protect PHI and avoid these penalties and fines, individuals and organizations should determine whether they are subject to HIPAA as a covered entity or business associate and, if so, take prompt action to comply with the Final Rule by the September 23, 2013, deadline. We have been assisting a number of clients in these efforts in anticipation of this deadline and with ongoing HIPAA compliance. If you would like assistance, or have questions about any aspect of HIPAA, please contact any of our Employee Benefits or Health Care professionals.