We hope you had a wonderful summer! Back in May, we alerted our readers to the deadline for complying with the HIPAA Omnibus Rule: September 23, 2013. That may have seemed like a long way off at the time, but here it is September already. Health care plan sponsors who have not yet taken action to ensure compliance with the Rule need to make this a priority. For example, plan sponsors may need to update and distribute new notices of privacy practices, revise and execute new and/or revised business associate agreements, and ensure that their privacy and security policies are up-to-date. While this seems like a lot, it can be accomplished before the deadline.
Business associates need to take action, as well, to ensure that that are complying with the portions of the privacy rules and security rules that are now directly applicable to business associates. One of the more significant aspects of the HIPAA Omnibus Rule as it relates to business associates is that business associates now need to enter into their own written HIPAA agreements with any subcontractors that handle protected health information. In addition, when asked to sign updated business associate agreements with their clients, a business associate needs to consider whether it has systems in place to actually comply with the agreement (so as to avoid contractual liability), and whether it has systems in place to comply with the Omnibus Rule (so as to avoid direct liability).
If you are a plan sponsor or a business associate and you happen to read this blog after September 23, 2013, but you haven’t yet taken these steps, our best advice is: get on it! We can expect to see more enforcement action in the near future.