A final deadline for the HIPAA Omnibus rule in which healthcare organizations must ensure business associate agreements are revised and ready by Sept. 22. Is your organization ready?
The key components omnibus final rule include:
- Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity's notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
This Sept 22nd date is vital because there was a grandfather provision in the original omnibus rule for existing business associate agreements. Organizations were given an additional year to revise their business associate agreements under the final HIPAA omnibus rule. This important deadline is now less than a month away!
To be compliant, all covered entities and business associates should have identified all the BAs (business associates) and subcontractors that they work with and ensure that they have a BAA (business associate agreement) that is compliant with the ruling. It is important that the agreements now assign and allocate risks among the parties.
With the new ruling, all business associates that process health insurance claims now will be liable for the protection of patient information. Additionally, the penalties for noncompliance with the ruling have increased. There is now a maximum penalty of $1,500,000 per violation.
Make sure you are compliant!