In January 2013, the Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) released its long-anticipated rule (the “Omnibus Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The Omnibus Rule became effective on March 26, 2013 and covered entities must comply with most of the rule’s requirements no later than September 23, 2013.
Features of the New Omnibus Rule
- Expansion of the definition of “Business Associates” to include subcontractors who access protected health information (“PHI”);
- Enhanced compliance enforcement and harsher penalties for non-compliance;
- Imposition of direct liability on Business Associates for compliance with certain requirements of the HIPAA Privacy and Security Rules;
- Additional and revised provisions that covered entities and Business Associates must include in their Business Associate Agreements (“BAAs”) (all existing BAAs must comply with these requirements by September 22, 2014);
- Additional disclosures in covered entities’ HIPAA Privacy Notices, including informing individuals of their right to be notified of breaches of their PHI;
- Substantial lowering of the threshold for notification of affected individuals in the event of a breach of PHI;
- Individuals’ enhanced ability to restrict disclosures of certain PHI;
- Expansion of individuals’ rights to access their PHI, particularly in electronic format; and
- Enhanced information system security requirements.
What You Need to Do to Comply with the Omnibus Rule
- Amend your Notice of Privacy Practices;
- Revise your Business Associate Agreements;
- Update your HIPAA Policies and Procedures;
- Develop, conduct, and document regular system security risk assessments;
- Implement specific administrative, physical and technical safeguards for the protection of PHI;
- Revise your breach notification procedures;
- Train staff on the rule’s new requirements; and
- If you are a Business Associate, prepare to fully comply with HIPAA, including entering into Business Associate Agreements with subcontractors who have access to PHI.
In order to avoid criminal and civil liability and the imposition of large monetary penalties, Kaufman & Canoles is pleased to help bring you into compliance with the new requirements of the Omnibus Rule. Please contact us for assistance in creating, revising or implementing your organization’s privacy or data security practices, or if you have any questions regarding HIPAA as it may apply to your organization. –T. Braxton McKee and Jason R. Davis