Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Countdown Begins for HIPAA Omnibus Rule Compliance

Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation
Written by Dianne J. Bourque and Stephanie D. Willis

The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines.

Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance deadlines depend on whether there is a current agreement in place that meets regulatory requirements.  New BAAs and DUAs must comply with Omnibus Rule requirements by September 23, 2013; otherwise, BAAs and DUAs that only became non-compliant after the Office for Civil Rights (OCR) released the Omnibus Rule may remain in effect until September 22, 2014 (or until the applicable agreement renewal date).  All parties must still comply with the Breach Notification interim final rule requirements under the HITECH Act during the 180-day transition period between March 26th and September 23rd of this year.

In the meantime, covered entities and business associates should be at least planning, if not undertaking, the following tasks:

  1. Preparing new, Omnibus Rule-compliant BAAs and DUAs in advance of contract renewal dates or the compliance deadline;
  2. Updating HIPAA policies and procedures and training materials;
  3. (Re)educating staff on their duties and responsibilities regarding protected health information and breach notification requirements; and
  4. Remaining alert for additional guidance from OCR.
Originally posted in Mintz Levin’s Health Law Policy Matters blog.