Several important HIPAA requirements have changed. As if that isn’t enough, penalties for non-compliance have increased dramatically. If you are a covered entity, you were mandated by law to have complied with the new HIPAA Omnibus law by September 23rd. If you haven’t yet done so, we encourage you to read below, then access the PDF linked at the bottom of this post to help you with recommended steps.
In our blog post entitled, Confused about Creating Easy-to-Read “Notices of Privacy Practices?” The US Government Has Come to Your Rescue, we announced how to easily deal with the new HIPAA Omnibus Act by using sample wording. In January, we announced and explained the new Omnibus Act passed for HIPAA. in our post entitled HIPAA’s Final but Sweeping Changes to Privacy and Security Rules.
We all , have a bit of housekeeping to do in our office paperwork. The handy list or recommended steps below is provided by Seyfarth & Shaw:
- By the compliance date, covered entities should update their privacy policies and procedures to reflect the new regulations, including GINA’s prohibition on using genetic information for underwriting purposes, the new definition of marketing, when an authorization is required, the new definition of breach of unsecured PHI and the new risk assessment procedures.
- Within a reasonable period of time after the compliance date, covered entities should retrain their workforce members on the updated policies and procedures. Although business associates are only required by law to train their workforce on the security rules, they are contractually obligated to comply with the HIPAA privacy rules and, as a practical matter, should also train their workforce on the privacy rules.
- By the compliance date, covered entities should revise their privacy notices as indicated above. Revised notices must be posted on a health plan’s website by the effective date of the revisions and provided to covered individuals in the next annual mailing. If a plan does not maintain a website, revised notices must be provided (or information as to how to obtain a revised notice) to covered individuals within 60 days of the revision.
- Covered entities should identify their business associates and make sure BAAs are in place. For those business associates who do not have agreements, covered entities will need to enter into new BAAs containing the new provisions by September 23, 2013. For those BAAs currently in effect, update the existing BAAs for changes prompted by these final rules by the end of the transition period.
- Business associates should identify their subcontractors and enter into BAAs with them.
- Covered entities and business associates who have unsecured PHI should consider taking advantage of the safe harbor to secure as much PHI as possible, thus potentially avoiding the breach notification requirements.
- By the compliance date, covered entities and business associates should implement new risk assessment procedures, and ensure that all assessments are properly documented
You will find the original document from which the above list was copied here: Seyfarth Shaw — Management Alert.