By Jack Anderson
August 16, 2013
Just another gentle reminder that the clock is ticking and September 23rd is right around the corner. For many business associates is not as much about updating there privacy and security policies and procedures as it is creating them. Since neither HHS or the covered entities have been enforcing HIPAA for business associates the majority have stayed in denial. This is changing on both levels as CEs are demanding proof of compliance from their BAs and HHS is getting ready to audit BAs. Here is the complete article:
The deadline for compliance with the HIPAA Omnibus Rule is September 23, 2013. Are you ready? Greenberg Traurig LLP, Eleanor (Miki) A. Kolton
The HIPAA Privacy Rule and portions of the HIPAA Security Rule were dramatically amended by an omnibus rule published by the Department of Health and Human Services in January 2013. Highlights of the changes that need to be made by covered entities (CE) and business associates (BA) are:
Changes to the Notice of Privacy Practices (NPP) and medical records release forms. In particular the NPP needs to apprise the individual that they will be informed if their protected health information (PHI) is breached;
Business associate agreements (BAA) need to reflect that BAs are now directly liable for compliance and enforcement of HIPAA rules and indicate that BAs will obtain written assurance of compliance from downstream contractors and vendors; and
BAs must put into place policies and procedures for compliance with privacy and security rules.
The deadline for CEs and BAs to come into compliance with the new rules is September 23, 2013. CEs and BAs must start to do the following:
Modify BAAs and policies and procedures to reflect changes to the breach notification rules, which includes ensuring the new four factor risk assessment is met;
Modify BAAs and policies and procedures to address the prohibition on the sale of individuals PHI without permission;
Modify and implement new policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities;
Modify BAAs and policies and procedures to address the expanded rights of individuals to restrict disclosures of PHI;
Modify BAAs and policies and procedures to address expanded rights of individuals to receive copies of their PHI, including electronically; and
Make sure personnel are trained on new requirements and updated policies and procedures. Companies should consider the following to ensure compliance by the September 23, 2013 deadline:
Implementation or review of an existing HIPAA Privacy Policy Manual, including policies and procedures and forms such as the NPPs and releases of health information form;
Preparation of a new or revised BAA form (which includes, but is not limited to, addressing downstream contractors);
Implementation or review of an existing HIPAA Security Policy Manual, including guidance for performing a risk assessment and model polices; and
Implementation of workforce training.
Chad Ehrenkranz