Countdown to Enforcement! Are You HIPAA-Ready for September 23, 2013?
on August 12, 2013
Health care entities now have less than six weeks to comply with the HIPAA Omnibus Rule. September 23, 2013 is the deadline for full compliance. Below is a useful checklist to assist you in meeting the deadline.
Update and Distribute Your HIPAA Notice of Privacy Practices
1. Update: Make sure your HIPAA Notice of Privacy Practices contains:
- A description of the types of uses and disclosures that require an authorization, specifically including, as applicable, marketing, psychotherapy notes, and disclosures that constitute a sale of protected health information (“PHI”).
- The individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service.
- A statement that the covered entity must notify affected individuals following a breach of unsecured PHI.
- A statement that the individual may be contacted for fundraising purposes and has a right to opt out of such communications, if applicable.
- A statement that the health plan is prohibited from using or disclosing genetic information for underwriting purposes, if applicable.
2. Distribute: Health care providers must (1) distribute the Notice to all new patients; (2) post the Notice in a clear and prominent location at all delivery sites and on their website; and (3) make the Notice available at all delivery sites and upon request from an individual. Health plans must (1) either prominently post the Notice on their website or provide individuals with the Notice and (2) distribute the Notice in their next annual mailing.
Review Your Contracts and Update Your Business Associate Agreements ("BAA")
1. Who are your Business Associates? Review your contracts to make sure you capture all “business associates” in light of the expanded definition.
2. Business Associate Agreement. Your BAA must now require the business associate to:
- Comply with the Security Rule regarding electronic PHI.
- Comply with the Privacy Rule requirements applicable to the covered entity, to the extent the business associate is to carry out the covered entity’s obligations.
- Enter into written business associate agreements with their subcontractors.
HIPAA Policies and Procedures. Review and update your HIPAA policies and procedures to incorporate the HIPAA Omnibus Rule changes, including:
Breach Notification. Revise your breach notification policies and procedures to incorporate the new definition of breach and to include the four factors necessary to conduct a breach risk assessment.
- Changes to numerous definitions, including, business associate, electronic media, PHI, reasonable cause, marketing, and health care operations.
- Uses and disclosures for which an individual’s authorization is required.
- An individual's right to restrict the use and disclosure of PHI to a health plan.
- An individual's right of access to electronic PHI.
- Uses and disclosures of PHI of deceased individuals.
- Authorizations for research purposes.
- Authorizations for disclosures of immunizations to schools.
- A prohibition on most health plans from using or disclosing genetic information for underwriting purposes in accordance with the Genetic Information Nondiscrimination Act.
- New limitations on the use and disclosure of PHI for marketing and fundraising.
- A prohibition on the sale of PHI without authorization.
Authors: Joy Kosiewicz, JD, Partner, Health Care Practice Group; Isabelle Bibet-Kalinyak, JD, MBA, Associate, Health Care and Labor and Employment Practice Groups.
Training. Train all staff, including top management and board members, on the changes to the HIPAA regulations and your revised policies and procedures.
Collective Experience. Collaborative Culture. Creative Solutions.