By, Jeremy M. Alexander, Natalie E. Brown & Susan A. Ebersole

The day all covered entities and business associates have been working toward is here—September 23, 2013, the deadline to comply with the changes in the HIPAA omnibus final rule, published on January 25, 2013.  Here is a review of the top three compliance categories for your checklist:

1. Business Associate Agreements (BAAs): Covered entities and business associates should double check that existing BAAs and all new BAAs contain provisions that require business associates to:

  • Comply with the Security Rule;
  • Report to the covered entity any breach of unsecured PHI;
  • Comply with the provisions of the Privacy Rule to the extent the business associate is carrying out a covered entity’s Privacy Rule obligations (e.g., the obligation to provide an individual with an accounting of disclosures of his or her PHI); and
  • Enter into BAAs with subcontractors imposing the same obligations that apply to the business associate.

Note, however, that existing BAAs that (i) were entered into on or before January 25, 2013; (ii) meet the requirements that were applicable prior to the promulgation of the HIPAA omnibus final rule; and (iii) were not renewed or modified between March 26, 2013 and September 23, 2013, do not have to be updated until the BAA is renewed or modified or until September 23, 2014, whichever is earlier.  An automatic renewal under an “evergreen clause” does not constitute a renewal or modification for purposes of the availability of the grandfather period. 

Sample BAA provisions for can be found on OCR’s website.   Other provisions, such as indemnification provisions and provisions regarding notification and mitigation in the event of breach (including provisions regarding how prompt such breaches must be reported to the covered entity) also should be considered, especially in light of HITECH’s increased penalties. 

2. Notices of Privacy Practices (NPPs): The omnibus final rule requires changes to NPPs that clarify individuals’ rights regarding their PHI.  NPPs must now include, if applicable, statements explaining that:

  • Authorization is required for most uses and disclosures of psychotherapy notes and for uses and disclosures of PHI for marketing, sales or purposes not delineated in the NPP;
  • Covered entities must notify individuals following a breach of their unsecured PHI;
  • Individuals can prevent disclosures of PHI to their health plan for payment or operations purposes if they pay fully out of pocket for an item or service;
  • Individuals have the right to opt out of fundraising communications; and
  • Health plans, other than issuers of long-term care policies, cannot use or disclose individual genetic PHI for underwriting purposes. 

Just last week, OCR released model NPPs for both health plans and health care providers.  Available in three different user-friendly styles, OCR explains that the “models reflect the regulatory changes of the Omnibus Rule and can serve as the baseline for covered entities working to come into compliance with the new requirements.” 

3.  Modify policies and procedures to:

  • Reflect changes to the breach notification rules, which include ensuring the new four-factor risk assessment is met;
  • Address the prohibition on the sale of an individual’s PHI without authorization;
  • Address the new limits on permissible uses of information for marketing and fundraising activities;
  • Address the expanded rights of individuals to restrict disclosures of their PHI, including to a health plan when they are paying for health care out of pocket; and
  • Address the expanded rights of individuals to obtain copies of their PHI, including to receive it in electronic form when it is maintained electronically by the covered entity.