HIPAA Alert: Action Steps To Reach Compliance
As discussed in two prior HIPAA alerts, a final, 563-page Omnibus HIPAA Rule was released by the Department of Health and Human Services Office of Civil Rights to strengthen HIPAA’s security and privacy protections. The final rule makes sweeping changes to HIPAA’s data security and breach requirements that will have widespread effects on covered entities, business associates, and subcontractors of business associates.
Enactment of the final rule, which becomes effective on March 26, 2013, provides a good opportunity for clients to evaluate all aspects of HIPAA compliance. Clients that fall within the purview of HIPAA should take the following steps:
- Assess whether you are a covered entity or business associate to determine whether HIPAA is applicable to you.
- If you are governed by HIPAA, ensure you have the proper business associate agreements in place. Even if you are a business associate, HIPAA may require that you have a business associate agreement with other entities such as subcontractors with whom you work. If you have executed a business associate agreement, review the agreement and its terms to ensure compliance.
- Update your breach notification policies to account for the final rule’s presumption of a breach unless the covered entity or business associate demonstrate that there is a low probability that the protected health information is compromised. At a minimum, updated breach notification policies should incorporate the four factors that must be considered when conducting a risk assessment.
- Assess your notice of privacy practices to ensure that it incorporates the latest changes in the final rule.
- Review your training policies to ensure that employees are properly trained on different aspects of HIPAA’s privacy and security rules. In particular, train employees about any new changes to your breach policies or notice of privacy practices.