The HIPAA/HITECH Omnibus Final Rule which came into effect on March 2013 to improve the privacy and security requirements had a 180-day compliance period. That period is going to end on September 23, 2013. The new rule not only covers employers who sponsor HIPAA-covered plans, but also insists that vendors who provide services to HIPAA-covered plans (for example insurance brokers, pharmacy benefit managers) and business associates also to follow the HIPAA regulations. The U.S. Department of Health and Human Services (HHS) can take action against both parties in case of HIPAA security breach. So, what should an organization that supports HIPAA-covered plans or a business associate do to comply with HIPAA/HITECH Omnibus Final Rule before the deadline?

  • Put into Practice or Revise Security Policies and Procedures – Security breach can lead employers and business associates to make costly settlements under the new law. It is very important for both parties therefore to implement or update security policies and procedures according to the new law to reduce the risk of security breach. Conduct a risk assessment to ensure the safety of Protected Health Information (PHI) and check whether the new privacy policies and procedures mitigate the potential risk of security breach.
  • Revise or Implement Privacy Policies and Procedures – If you are an employer that sponsors HIPAA-covered plans, then you must have already implemented HIPAA privacy policies and procedures. To comply with the new HIPAA law, you should update all those policies and procedures as there is new standard for identifying security breach and new procedures apply to requests for accessing PHI. The Omnibus Final rule not only curbs disclosure of PHI, but even the risk of disclosure. For example, if you store PHI in a computer or transmit it through the internet without password protection or encryption, then it is termed as security breach under the final rule even if it is not accessed or used by anyone. At the same time, it is the legal responsibility of business associates also to implement privacy policies and procedures that comply with the final rule.
  • Have or Revise Business Associate Agreements – The Omnibus final rule insists to add new provisions in business associate agreements along with earlier provisions such as business associates should comply with the requirements of the HIPAA Security Rule, they should report any security breach to the relevant covered entity, they should have business associate agreements with their subcontractors who have access to PHI, and they should comply with the requirements of the HIPAA Privacy Rule while handling any responsibility given to them by the covered entity. So, if you are a business associate, it is imperative to enter into business associate agreement with your subcontractor. If you are an employer, review the business associate agreements and update them to add new provisions. Though several vendors are already updating the agreements, covered health plans are given the deadline of September 22, 2014 to update existing business associate agreements.
  • Renew HIPAA Privacy Notice – Employers must update their HIPAA Notice of Privacy Practices on or before September 23, 2013 to inform the participants in HIPAA-covered plans about new rights and restrictions regarding the use of PHI. Employers can post the notice in their website or distribute it within 60 days of the effective date.
  • Training for Employees – Employees with the organizations that sponsor HIPAA-covered plans or business associates should be informed about HIPAA regulations and what they should do to ensure compliance. Only then can both parties meet the complex HIPAA compliance obligations. Refresher training can be provided for employees.