On September 23, 2013, Covered Entities and Business Associates must be compliant with the final Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule (the “HIPAA Final Rule”). The HIPAA Final Rule modified existing HIPAA provisions and enacted new provisions regarding health information privacy and security standards. With the compliance deadline fast approaching, Covered Entities and Business Associates must ensure that they have made the required updates to Business Associate Agreements (“BAAs”) and other HIPAA-related policies.
Failure to comply with these new requirements could lead to sanctions, including significant fines.
Covered Entities and Business Associates must do the following by September 23, 2013:
Revise Business Associate Agreements
Many existing BAAs must be updated to comply with the HIPAA Final Rule. However, if the Covered Entity or Business Associate had an existing BAA that was in effect before January 25, 2013, the amendments are not required until September 22, 2014. Covered Entities are also advised to take a fresh look at their vendor relationships to ensure that a BAA is in place with each vendor that receives, transmits, maintains, or creates protected health information (“PHI”) on behalf of the Covered Entity. If you find you have vendors without BAAs, you should remedy that as soon as possible.
All BAAs should be reviewed for compliance with the HIPAA Final Rule, including, but not limited to, the following required provisions:
Business Associates must comply with the HIPAA Security Rule;
Business Associates must comply with certain aspects of the HIPAA Privacy Rule;
Business Associates must report any breaches of unsecured PHI to the Covered Entity; and
Business Associates must require subcontractors of the Business Associate who use, disclose, create or otherwise have access to PHI to agree to the same restrictions as the Business Associate.
Update Notice of Privacy Practices (“NPP”)
The NPP must be updated, posted and made available to all patients by September 23, 2013. Briefly, the required changes to the NPP include:
A statement that the following uses and disclosures require an authorization:
o Many uses of psychotherapy notes;
o Uses and disclosures of PHI for marketing; and
o Sale of PHI.
For Covered Entities that are health care providers, a statement concerning a patient’s right to request restrictions on certain uses and disclosures of PHI, including the right to pay “out of pocket” for treatment and not have the bill for services submitted to the patient's health plan.
A statement regarding a patient's right to “opt out” of receiving fundraising communications, if the covered entity does fundraising.
A statement that the patient will be notified if there is a breach of the patient's PHI.
A statement that certain uses and disclosures of the patient's PHI will only be made pursuant to an authorization from the patient.
Update Breach Notification Policies
Under the HIPAA Final Rule, the standards for reporting breaches of unsecured PHI have been expanded. These new standards must be included in the Covered Entity's or Business Associate’s updated policies and procedures.
Amend Policies and Procedures
Covered Entities should review their HIPAA policies and procedures to ensure they reflect the changes and new requirements from the HIPAA Final Rule, including:
Having a policy and procedure for allowing patients to restrict notification to their health insurance plan for items and services that they request and pay for entirely “out of pocket.”
Having a policy and procedure for patients to request and obtain electronic copies of records in their “designated records set” (i.e., patient medical records, billing records, etc.) that are maintained electronically.
Changing policies and procedures to honor requests for a decedent's medical records from family members and others who were involved in the patient's care before death, unless the provider has knowledge that such a request is inconsistent with the patient's wishes.
Changing policies and procedures to permit disclosure of immunization records to schools if required by law.