Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney


Posted in HIPAA/HITECH, Privacy Monday, Privacy Regulation

Today’s the day!    Today marks the long-awaited compliance date for the HIPAA Omnibus Rule.

In case you have put any thoughts of compliance with the Omnibus Rule out of your mind, you can no longer escape.

Here are the key five things that you should have done by today:

  1. Update Notices of Privacy Practices (“NPPs”). The Final Rule requires changes to be made to covered entities’ NPPs. These include: a) describing uses and disclosures of protected health information (“PHI”) for which an authorization is required from the patient (such as sale of PHI, uses and disclosures for marketing purposes, or disclosure of psychotherapy notes); b) stating that any uses or disclosures not described in the NPP require the patient’s authorization; c) the right of a patient to restrict certain disclosures of PHI to a health plan where the individual pays for the service in full out-of-pocket; and d) informing patients of their right to be notified in the event of a breach of unsecured PHI.  If you are a clinical lab, though – Office of Civil Rights issued a Statement of Delay on Friday.
  2. Update Business Associate Agreements. The Final Rule added additional requirements for what constitutes a valid Business Associate Agreement. A Business Associate Agreement must include the following: a) business associates must comply with the HIPAA Security Rule; b) business associates must report any breaches of unsecured PHI to covered entities; c) business associates must ensure that any subcontractors that create or receive PHI agree to the same restrictions and conditions as the business associate; and d) business associates are required to comply with the HIPAA Privacy Rule to the extent it is carrying out the covered entity’s obligations.
  3. Update breach response policies. The Final Rule changed the definition of “breach” as well as the risk assessment that must be undertaken to determine if there has been a breach. It is more likely that an impermissible access, use or disclosure of PHI will be a “breach” necessitating notification to the individual, HHS, and possibly the media. Breach response policies should reflect the new standards.
  4. Review and update your HIPAA Manual. The Final Rule made numerous changes to the HIPAA Privacy Rule. The changes include revisions to marketing rules involving PHI, new standards relating to the sale of PHI, increased ability of patients to restrict disclosures of PHI, and changes to standards involving access to electronic medical records by patients. These new provisions should be reflected in HIPAA policy and procedure manuals.
  5. Educate employees. Simply changing policies and procedures is not enough. Employees who handle PHI must be made aware of the revised standards and understand the new policies. Be sure to train your employees.


Catching up?    Here are some resources to help:

Mintz Levin webinar reviewing HIPAA Omnibus Rule — click here

Mintz Levin HealthBeat Webinar Series — click here

Privacy and Security Matters:  Rx for HIPAA Compliance