The HIPAA Clock Is Ticking

September 23, 2013 is an important date for HIPAA Covered Entities and Business Associates. On that date, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) will expect all HIPAA Covered Entities and Business Associates to be in compliance with the new requirements published this past January in a mega-rule modifying the HIPAA Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule (together called the “Omnibus Rule”). Non-compliance can cost Covered Entities and Business Associates up to $1.5 million in fines per individual violation per year—and much more for multiple violations involving multiple patients.

What Do You Need To Do?

By the deadline, Covered Entities and Business Associates have a lot to do.

Covered Entities need to:

• Revise and implement privacy policies and procedures to address changes regarding breach notification, marketing, fundraising, sale of PHI, protection of decedent’s PHI, disclosures to family of deceased patients, individual’s right to restrict disclosure of PHI to health plans, individual’s right to access PHI in electronic form, research authorizations, use of genetic information, and disclosure of student vaccination information.
• Revise their Notice of Privacy Practices and re-post or re-distribute it.
• Identify entities that are newly classified as Business Associates. These will need compliant Business Associate Agreements, as described below.
• Develop, negotiate and execute a revised Business Associate Agreement that satisfies the Omnibus Rule. For first-time contracts or existing contracts that will be amended prior to September 23, 2013, these must be in place by September 23, 2013. For existing contracts that will not be amended before September 23, 2013, Covered Entities have an extra year to execute revised contracts.
• Consider whether their arrangements with their Business Associates will cause these Business Associates to be classified as their agents for HIPAA enforcement purposes. If so, consider steps to avoid that classification, since agents create additional liability to OCR.
• Understand how to respond to a breach of unsecured PHI.
• Consider whether and how to include HIPAA in their compliance plans.
• Understand the new heightened HIPAA enforcement structure and climate. Prepare for possible OCR compliance audits and investigations.
• Train their workforce in the new HIPAA requirements.

Business Associates need to do many things similar to Covered Entities, but with a twist:

• Understand their first time liability to OCR for civil money penalties for non-compliance with HIPAA. OCR will now hold Business Associates directly responsible for compliance with the Security Rule, portions of the Privacy Rule, and the Breach Notification Rule.
• Adopt and implement a full set of security policies and procedures for electronic PHI.
• Adopt and implement the same PHI privacy policies as Covered Entities need to modify—described above.
• Identify entities that are newly classified as Business Associate Subcontractors.  These entities will need Business Associate Agreements that satisfy the Omnibus Rule, as described below.
• Develop, negotiate, and execute revised Business Associate Agreements that satisfy the Omnibus Rule with their Covered Entities and Business Associate Subcontractors. For new contracts or contracts that will be amended before September 23, 2013, these revised Business Associate Agreements must be in place by September 23, 2013. For existing contracts that will not be amended before September 23, 2013, Business Associates have an extra year to execute these contracts.
• Consider whether their arrangements with their Covered Entities or Business Associate Subcontractors will cause them to be classified as agents for HIPAA enforcement purposes. If so, consider steps to avoid that classification, since agents increase liability to OCR.
• Understand their obligations if they are the cause of a breach of unsecured PHI.
• Understand the new heightened HIPAA enforcement structure and climate. Prepare for possible OCR compliance audits or investigations.
• Train their workforce on the new HIPAA requirements and consider how to monitor compliance.

Don’t Worry—We Can Help!

It’s not too late to get help to become compliant. Dykema’s experienced HIPAA team can get you ready.  We can:

• Provide updated policies and procedures.
• Provide an updated Notice of Privacy Practices.
• Provide updated Business Associate Agreements.
• Analyze Business Associate relationships and restructure them as necessary to decrease liability risk.
• Perform data breach assessments.
• Conduct data breach notification when indicated.
• Conduct mock HIPAA compliance audits (a/k/a “gap assessments”).
• Defend against government audits and investigations.
• Conduct on-site training.
• Answer routine and unusual HIPAA operational questions as they arise.  We understand the interplay between HIPAA and legal protections for mental health, substance use disorder, and HIV-AIDS treatment information—a critical nuance that is often overlooked in implementing HIPAA.

We would be pleased to assist you with your HIPAA compliance needs. Feel free to contact Kathrin Kudner at 734-214-7697, kkudner@dykema.com or Joanne Lax at 248-203-0816, jlax@dykema.com.

---

_{As part of our service to you, we regularly compile short reports on new and interesting developments in our business services program. Please recognize that these reports do not constitute legal advice and that we do not attempt t cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments on this newsletter, or any Dykema publication, are always welcome. © 2013 Dykema Gossett PLLC.}