Omnibus HIPAA Regulations Approaching Quickly


The compliance date for the Omnibus HIPAA Regulations discussed in our previous client alerts this year is rapidly approaching on September 23, 2013. Healthcare Providers, Health Plans, and Healthcare Clearinghouses should be finalizing documents to respond to the new requirements. Specific focus should be placed on:

  • Notice of Privacy Practices. This document must be revised to incorporate changes. It must be posted and available to patients in advance of the September 23, 2013 effective date. Required changes include:
    • A statement that the covered entity must notify an affected individual of a breach of unsecured protected health information (PHI);
    • A description of the disclosures of PHI requiring an authorization (e.g., psychotherapy notes, marketing, and sale of information, and a statement that other uses or disclosures not described in the notice require authorization);
    • A statement that the recipient of fundraising materials may opt out of future fundraising communications;
    • A description of an individual’s right to restrict disclosure of PHI to health plans if he or she paid for the relevant care;
    • If the Covered Entity is a Health Plan, the NPP must state that genetic information will not be disclosed to the Plan Sponsor; and
    • Health Plans who disclose information for underwriting must also state genetic information will not be disclosed for this purpose.
  • Business Associate Agreements.  If the Covered Entity does not currently have a Business Associate Agreement in place with the Business Associate or if the underlying engagement was modified after January 25, 2013, the revised Agreement must be executed by September 23, 2013. If an Agreement is already in place with the Business Associate and changes were not made to the underlying engagement, execution of the revised Agreement may be delayed until the underlying engagement is revised, up to September 23, 2014.

In addition to the document revisions that are required by September 23, 2013, Covered Entities and Business Associates should be:

  • Revising policies and procedures to reflect changes related to use and disclosure of PHI under the Omnibus Regulations;
  • Revising practices regarding breach identification, response, and notification to reflect the new definition of “breach;”
  • Training staff regarding revised policies and requirements;
  • Performing a HIPAA Security Risk Assessment to identify any current security vulnerabilities; and
  • Implementing reasonable and appropriate safeguards to manage current risks to PHI and EPHI. 

For more cutting edge insights, news, and commentary, visit our Media, Privacy & Beyond blog at