By Jack Anderson
July 25, 2013
The healthcare law firms are continuing to sound the alarm and it isn’t “The British are Coming” it is “The HIPAA Auditors are Coming”. The Omnibus Regulations went into effect in March of 2013 so if you haven’t updated your policies and procedures since then they are seriusly out of date. In the case of your business associates odds are that they have little or no written policies and procedures in place despite having agreed ro be compliant in their BA agreement. Ask some questions about how they access, store, process, maintain, and most importantly how they protect your PHI. If you don’t have the tools for doing that take a look at www.compliancehelper.com/batracker
Here is the complete article:
If you haven’t focused on HIPAA lately, now is the time. On January 25, 2013, the Department of Health and Human Services issued final regulations implementing revisions to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a result of the extensive revisions to HIPAA made by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. (Click here for more information on the HITECH Act). These new regulations, known simply as the “Omnibus Regulations,” became effective March 23, 2013, and require all HIPAA-covered entities, including employer-sponsored group health plans, to update their HIPAA policies and procedures by September 23, 2013.
As described in our earlier post, “New Final Regulations Strengthen HIPAA Privacy and Security Rules,” these extensive Omnibus Regulations:
expand the scope and impact of the Privacy and Security Rules on business associates;
impose significant new restrictions on the use of protected health information (PHI);
revise individual rights to reflect various HITECH Act requirements;
implement new enforcement of the tiered penalty structure established by the HITECH Act;
redesign the final HITECH Act breach notification rule; and
include genetic information as in the definition of PHI.
If you provide medical, dental, vision, wellness, employee assistance benefits, or if you sponsor a health reimbursement arrangement or a health flexible spending account plan, your HIPAA privacy compliance is likely out of date and should be reviewed immediately in light of the Omnibus Regulations. Also, on or before September 23, 2013, your plan should update and reissue its Notice of Privacy Practices. Don’t forget that your privacy officer will need to arrange for updated training for all employees who may come into contact with protected health information on behalf of your health plans.
Finally, note that your business associate agreements also will require updating, but you have an extra year until September 23, 2014, to update those agreements that were in place when the Omnibus Regulations were issued in January. Any new business associates will need to execute agreements with the health plan which incorporate changes implemented by the new rules.