Earlier this year, the Department of Health and Human Services announced modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (the “Final Rule”). The Final Rule imposes new obligations on medical practices (“Covered Entities”) and their business associates (“Business Associates”) and requires modifications to a Covered Entity’s Business Associate Agreement and Notice of Privacy Practices. Covered Entities that have not already revised their form of Business Associate Agreement and Notice of Privacy Practices should do so before September 23, 2013 in order to be compliant with HIPAA.
Business Associate Agreements
The Final Rule contains new requirements for Business Associate Agreements. All Business Associate Agreements entered into after January 25, 2013 must comply with the new requirements by September 23, 2013. There is a one-year grace period for Business Associate Agreements entered into prior to January 25, 2013 and not renewed or modified between March 26, 2013 and September 23, 2013. Such older agreements must comply with the new requirements by the first to occur of September 23, 2014 or when they are renewed.
Covered Entities and Business Associates must revise their Business Associate Agreements by the applicable compliance date to ensure that they meet the new HIPAA requirements and include certain new obligations on Business Associates. Pursuant to the Final Rule, Business Associates are required to comply with certain provisions of the HIPAA rules that previously only applied to Covered Entities. Additionally, the Final Rule provides additional guidance about which entities are Business Associates, and explains that certain subcontractors of Business Associates are business associates as well. Business Associates will have to enter into written agreements with their subcontractors that handle personal health information.
Notice of Privacy Practices
The Final Rule also requires changes to the Notices of Privacy Practices that medical practices are required to provide to patients. The Notice of Privacy Practices must be revised to meet the new requirements by September 23, 2013. The new requirements include changes to the authorizations required for marketing communications, as well as other uses of personal health information, and introduce new requirements regarding access to personal health information. Additionally, the Notice of Privacy Practices must now include additional information regarding permitted uses of personal health information and the responsibilities of the Covered Entity in the event of a security breach.
Steps to Take Immediately
If a Covered Entity has not already revised its form Business Associate Agreement and Notice of Privacy Practices to comply with the Final Rule, it must do so before September 23, 2013 in order to be in compliance with HIPAA. If a Covered Entity has Business Associate Agreements that were in effect prior to January 25, 2013 that have not been amended, it needs to revise those agreements prior to September 23, 2014. Flaster/Greenberg PC has reviewed the Final Rule and understands the changes that are needed to both the Business Associate Agreement and Notice of Privacy Practices and can work with Covered Entities to make those documents compliant before the deadline.
If you would like more information about the information discussed in this Alert, please contact a member of the Health Care Practice Group at Flaster/Greenberg PC.