HIPAA Alert: Action Steps To Reach Compliance


As discussed in two prior HIPAA alerts, a final, 563-page Omnibus HIPAA Rule was released by the Department of Health and Human Services Office of Civil Rights to strengthen HIPAA’s security and privacy protections. The final rule makes sweeping changes to HIPAA’s data security and breach requirements that will have widespread effects on covered entities, business associates, and subcontractors of business associates.

Enactment of the final rule, which becomes effective on March 26, 2013, provides a good opportunity for clients to evaluate all aspects of HIPAA compliance. Clients that fall within the purview of HIPAA should take the following steps:

  • Assess whether you are a covered entity or business associate to determine whether HIPAA is applicable to you.
  • If you are governed by HIPAA, ensure you have the proper business associate agreements in place. Even if you are a business associate, HIPAA may require that you have a business associate agreement with other entities such as subcontractors with whom you work. If you have executed a business associate agreement, review the agreement and its terms to ensure compliance.   
  • Update your breach notification policies to account for the final rule’s presumption of a breach unless the covered entity or business associate demonstrate that there is a low probability that the protected health information is compromised. At a minimum, updated breach notification policies should incorporate the four factors that must be considered when conducting a risk assessment.
  • Assess your notice of privacy practices to ensure that it incorporates the latest changes in the final rule.   
  • Review your training policies to ensure that employees are properly trained on different aspects of HIPAA’s privacy and security rules. In particular, train employees about any new changes to your breach policies or notice of privacy practices.

Bernstein Shur’s Health Care Practice Group and Data Security Team can assist you with any of the action steps referenced above. For more information, contact Travis Brennan at 207 228-7146 or tbrennan@bernsteinshur.com.

Topics:  Business Associates, Compliance, Data Breach, Data Protection, HHS, HIPAA, HIPAA Omnibus Rule, Notice Requirements, OCR, Privacy Rule, Subcontractors

Published In: General Business Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bernstein Shur | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »


Bernstein Shur is one of northern New England’s largest law firms, with more than 100 lawyers in its... View Profile »

Follow Bernstein Shur:

Reporters on Deadline