Office for Civil Rights

It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April).  On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor.  The cost of that missing agreement?  $31,000.  Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment.  The price of those failures?  $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR

Written by Dianne J. Bourque and Stephanie D. Willis

The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines.

Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance deadlines depend on whether there is a current agreement in place that meets regulatory requirements.  New BAAs and DUAs must comply with Omnibus Rule requirements by September 23, 2013; otherwise, BAAs and DUAs that only became non-compliant after the Office for Civil Rights (OCR) released the Omnibus Rule may remain in effect until September 22, 2014 (or until the applicable agreement renewal date).  All parties must still comply with the Breach Notification interim final rule requirements under the HITECH Act during the 180-day transition period between March 26th and September 23rd of this year.

In the meantime, covered entities and business associates should be at least planning, if not undertaking, the following tasks:

  1. Preparing new, Omnibus Rule-compliant BAAs and DUAs in advance of contract renewal dates or the compliance deadline;
  2. Updating HIPAA policies and procedures and training materials;
  3. (Re)educating staff on their duties and responsibilities regarding protected health information and breach notification requirements; and
  4. Remaining alert for additional guidance from OCR.
Originally posted in Mintz Levin’s Health Law Policy Matters blog.