HIPAA Omnibus Rule Deadline is Sept 23rd – Here’s How to Comply…

On September 23, 2013, the Health Insurance Portability and Accountability Act Omnibus Rule goes into effect, significantly increasing the privacy and reporting obligations of covered entities and their businesses associates and subcontractors.

Will you be ready? Five resources to help:

“If you are a covered entity or a business associate … [h]ave you checked into purchasing cyber liability insurance and/or considered requiring coverage from those with whom you contract under HIPAA?”

“The definition of business associate now includes any subcontractor of a business associate that will create, receive, maintain or transmit PHI on behalf of the business associate, other than as a member of the workforce of the business associate. (infinite flowdown—each business associate and subcontractor must require its subcontractors to comply with at least the same requirements as it must comply with).”

“The Omnibus Rule modified the standard for reporting breaches of unsecured PHI. No longer will the ‘risk of harm’ threshold be available to eliminate reporting. Under the new standard, a breach is reportable unless (1) the covered entity or business associate demonstrates a low probability that the information has been compromised based on a thorough risk assessment, or (2) the breach fits within certain limited exceptions. In light of this modified standard, covered entities and business associates should revise their breach notification policies and procedures.”

“Covered Entities and Business Associates are still required to obtain individuals’ authorization to disclose their PHI for marketing purposes under the Omnibus Rule, but the Omnibus Rule narrowed the definition of ‘marketing,’ so that it does not include the following as long as no payment is received from or on behalf of a third party whose products or services are being described: (a) refill reminders; and (b) communications for treatment and health care operations purposes.”

“The Final Rule changed the definition of ‘breach’ as well as the risk assessment that must be undertaken to determine if there has been a breach. It is more likely that an impermissible access, use or disclosure of PHI will be a ‘breach’ necessitating notification to the individual, HHS, and possibly the media. Breach response policies should reflect the new standards.”

The updates:

Find additional commentary and analysis on the Health Insurance Portability and Accountability Act at JD Supra Law News>>