Deadline for HIPAA Omnibus Rule Approaching: Help for Compliance

by Kim C. Stanger

The deadline for complying with the new HIPAA Omnibus Rule is September 23, 2013. Per our prior alerts and webinars, healthcare providers, other covered entities, and their business associates must take certain steps before then to ensure compliance, including the following:

1. Covered entities should review existing relationships with business associates and execute or modify business associate agreements to ensure they contain the elements required by the new HIPAA Privacy and Security Rules. For information about the required elements, see our Checklist for HIPAA Business Associate Agreements.
2. Business associates must now comply with the HIPAA Security Rule requirements found at 45 CFR part 164, subpart C. Among other things, business associates must ensure they have completed the required risk assessment and implemented the required administrative, technical and physical safeguards. They must also ensure they have practices in place to comply with business associate agreement terms relating to the HIPAA Privacy Rules.
3. Covered entities must update their HIPAA privacy policies to incorporate new Omnibus Rule requirements, including those relating to the new breach notification standard; access to electronic information; limits on disclosures to health insurers; marketing; sale of protected health information; fundraising; and disclosures about deceased individuals.
4. Covered entities must update their Notice of Privacy Practices to incorporate new terms, including new limits on disclosures and breach notification requirements.
5. Covered entities and business associates must train members of their workforce concerning the new rules and policies, and document the training.

For more specific guidance, see our Health Law Update, HIPAA Omnibus Rule: Checklist for Compliance.

Help for Compliance. To help clients comply with the new Omnibus Rules, we have prepared an updated set of sample forms that health care providers and business associates may use as appropriate to their circumstances, including the following:

• Privacy Policies
• Breach Notification Policy
• Notice of Privacy Practices
• Business Associate Agreements
• Confidentiality Agreements
• Authorization for Disclosure of Protected Health Information
• Designation of Privacy and Security Officers
• Patient Requests to Access or Amend Information
• Accounting of Disclosure Log
• Sample letters to patients, persons seeking information, and in response to OCR investigation
• Checklists for compliance.

If you would like more information concerning the sample forms, please contact Kim Stanger at kcstanger@hollandhart.com or (208) 383-3913.

We have also conducted a series of webinars discussing HIPAA compliance. These webinars are available for free download at http://www.hhhealthlawblog.com/webinar-recordings.html.

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.