On January 25, 2013 the Department of Health and Human Services issued the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, commonly referred to as the “HIPAA Omnibus Rule.”
Compliance with most changes set forth in the HIPAA Omnibus Rule was required by September 23, 2013, but there is still time to make the necessary updates to comply. The new rule greatly expands the HIPAA requirements applicable to business associates. Additionally, business associates’ subcontractors are required to comply with HIPAA requirements. Business Associate Agreements must be updated to comply with this and other changes.
Further, practices’ Notice of Privacy Practices must be updated to include new information regarding required patient authorizations for disclosures of protected health information.
New breach notification requirements and analysis of what constitutes a breach are also included in the new HIPAA Omnibus Rule. All breaches are now presumed reportable unless, after a proper analysis, there is a low probability of protected health information compromise.
Please contact Ann Breitinger or any member of our health care law services group for more information regarding the new HIPAA Omnibus Rule or if you require updated and compliant business associate agreements or notice of privacy practices.