HIPAA Compliance Date: Sept. 23, 2013


Impending HIPAA Compliance Date

As discussed in prior HIPAA Alerts a final 563-page Omnibus HIPAA Rule was released by the Department of Health and Human Services Office of Civil Rights to strengthen HIPAA’s security and privacy protections. Although the final rule took effect on March 26, 2013, covered entities and business associates were given until September 23, 2013 to comply with the applicable requirements of the final rule. The compliance date is now just around the corner. With increased enforcement of HIPAA compliance by OCR and greater sensitivity by patients to their protected health information, HIPAA compliance has become of paramount importance.

Data gathered by OCR demonstrates the wide array of providers who have been investigated by OCR for HIPAA compliance. OCR’s data indicate that the types of covered entities that have been required to take corrective action include, in order of frequency: 

  • Private Practices
  • General Hospitals
  • Outpatient Facilities
  • Health Plans
  • Pharmacies

OCR’s data further show that the nature of HIPAA complaints commonly involve improper disclosures of protected health information (implicating the Privacy Rule) and lack of safeguards for protected health information (implicating the Security Rule). Compliance issues investigated most by OCR are, in order of frequency: 

  • Impermissible uses and disclosures of protected health information
  • Lack of safeguards of protected health information
  • Lack of patient access to their protected health information
  • Uses or disclosures of more than the minimum necessary protected health information
  • Lack of administrative safeguards of electronic protected health information

Recent cases demonstrate the vigor with which OCR is enforcing the HIPAA rules. In particular, on August 7, 2013, a covered entity agreed to pay $1,215,780 to the U.S. Department of Health and Human Services to settle potential HIPAA violations after OCR discovered that the protected health information of 344,579 individuals was impermissibly disclosed when the covered entity returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. This settlement is a warning to covered entities and business associates that all facets of an entity’s operation need to be reviewed when considering HIPAA compliance.   

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bernstein Shur | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.