HIPAA Alert: Caution!! Deadline Is September 23, 2013 - Action Must Be Taken To Comply With New Requirements Imposed By The HIPAA Omnibus Rule

September 23, 2013 is the effective compliance date for many changes to the HIPAA Privacy, Security, Enforcement Rules and Breach Notification Rules as required by the "HIPAA Omnibus Rule" as published in January 2013. All "Covered Entities" and "Business Associates" must take appropriate action to ensure that they have taken the actions necessary to comply with the various requirements of the HIPAA Omnibus Rule.

A brief summary of some of the key changes is set forth below:

1. Notice of Privacy Practices ("NPP") Must Be Updated.  The NPP must be updated, posted and made available to all patients by September 23, 2013. Briefly, the required changes to the NPP include:

  1. A statement that the following uses and disclosures require an authorization:

(i) many uses of psychotherapy notes;

(ii) uses and disclosures of protected health information ("PHI") for marketing; &

(iii) sale of PHI.  

  1. A statement concerning a patient's right to request restrictions on certain uses and disclosures of PHI, including the right to pay "out of pocket" for treatment and not have the bill for services be submitted to the patient's health plan.
  1. A statement regarding a patient's right to "opt out" of receiving fundraising communications.
  1. A statement that the patient will be notified if there is a breach of the patient's PHI.
  1. A statement that certain types of uses and disclosures of the patient's PHI will only be made pursuant to an authorization from the patient. 

2. Update Breach Notification Policies. Under the HIPAA Omnibus Rule, the standards for reporting breaches of unsecured PHI have been expanded. These new standards must be included in the Covered Entity's policies and procedures so they will need to be updated.

3. Revise Business Associate Agreements.  Business Associate Agreements ("BAAs") must be updated. If you have an existing BAA that was in effect before January 25, 2013, you will have until September 22, 2014 to amend it.

Some of the key changes to your BAA include the following: 

  1. Business Associates must comply with the HIPAA Security Rules; and
  1. Business Associates must comply with certain aspects of the HIPAA Privacy Rule; and
  1. Business Associates must report any breaches of unsecured PHI to the Covered Entity; and 
  1. Business Associates must require subcontractors of the Business Associate who use, disclose, create or otherwise have access to PHI to agree to the same restrictions as the Business Associate.

4. Amend Policies and Procedures. Covered Entities are required to implement policies and procedures for several key requirements of the HIPAA Omnibus Rule, including but not limited to:

  1. Allow patients to restrict notification to their health insurance plan for services that they request and pay for "out of pocket."
  1. Allow patients to obtain electronic copies of their medical records if the practice maintains such electronic records.
  1. Change policies to permit disclosures of a decedent's PHI to family members and others who were involved in the patient's care before death, unless such is inconsistent with the patient's wishes.
  1. Change policies and procedures to permit disclosure of immunizations to schools if required by law.

In addition to the above if the Covered Entity conducts marketing policy, research or fundraising, the NPP must be updated.

Please note that the HIPAA Omnibus Rule requires additional changes for health plans.

All Covered Entities and Business Associates (as well as subcontractors of Business Associates) must carefully review their policies and procedures to ensure compliance with all the new applicable HIPAA requirements.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilentz, Goldman & Spitzer P.A. | Attorney Advertising

Written by:


Wilentz, Goldman & Spitzer P.A. on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.