The September 23, 2013 deadline for covered entities, business associates and their subcontractors to implement the new HIPAA rules is approaching quickly. In case you missed it, on January 25, 2013, the U.S. Department of Health and Human Services issued an omnibus final rule modifying the Health Insurance Portability and Accountability Act of 1996. The effective date is September 23, 2013, and your business must review its policies and take necessary steps to ensure HIPAA compliance and avoid potential penalties from failing to act.
The final rule made sweeping changes to the privacy, security, enforcement and breach notification rules under HIPAA. Additionally, subcontractors of business associates are now covered under HIPAA and must agree to the same restrictions and conditions as the business associate. Both businesses familiar with HIPAA and those new to HIPAA compliance need to use the remaining time before September 23 to ensure they are ready to meet the deadline. The following items should be on any HIPAA compliance checklist:
- Covered Entities Must Update Notices of Privacy Practices: The final rule mandates changes to covered entities’ notices of privacy practices (“NPP”). The required updates are fairly specific but include provisions such as describing uses and disclosures of protected health information (“PHI”) for which an authorization is needed (sale of PHI, use of PHI for marketing purposes, etc.) and informing patients of their right to be notified in the event of a breach of unsecured PHI.
- Business Associate Agreement Updates: A valid business associate agreement now requires additional provisions under the final rule, and organizations should update any current agreements. Business associates must agree to report any breaches of unsecured PHI to the covered entity, regulate their subcontractors, and comply with HIPAA’s privacy rule to the extent they are performing the covered entity’s obligations.
- Breach Response Policies: New standards for breach response policies are promulgated in the final rule, and businesses need to review current policies for necessary changes. These updates range from changing the definition of “breach” to updating the risk assessment that businesses must undertake to identify a breach. On the whole, these changes make it more likely unauthorized use or disclosure will constitute a breach.
- HIPAA Authorization Form: Businesses must revise their HIPAA authorization form to reflect new rules and standards. These changes are fairly straightforward in the final rule, but if companies are engaged in sending or requesting PHI, their HIPAA authorization must be updated.
- HIPAA Policy and Procedure Manuals: Numerous changes, large and small, should be reflected in your organization’s HIPAA manual and associated policies. Some of the changes are derived from the aforementioned amendments to NPPs, business associate agreements, and breach notification. Other updates pertain to electronic medical records. Organizations should amend their policies to reflect the new rules.
- Training Employees: Businesses cannot update written materials and carry on. Employees involved in handling PHI should be made aware of the updated rules and understand new policies and standards.
Although the clock is ticking down to the September 23 compliance deadline, there is still time to act. If you are a covered entity, business associate or a subcontractor of either, use the remaining weeks to analyze these areas of your HIPAA policies and procedures and take necessary steps to ensure your compliance.