On January 25, 2013, the U.S. Department of Health and Human Services released its final Omnibus Rule amending some provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Two of these amendments will require health care providers (covered entities under HIPAA) to update their Business Associate Agreements and Notices of Privacy Practices by September 23, 2013.
With respect to Business Associate Agreements, the Omnibus Rule has expanded the definition of “business associate.” This term will now encompass subcontractors of business associates as well as any organization that has access to protected health information. Under this change, covered entities must have Agreements in place with their own subcontractors and in turn, business associates must have Agreements in place with their subcontractors. The Omnibus Rule states that any Business Associate Agreements in place prior to January 25, 2013 will be honored until they expire or until September 24, 2014, whichever comes first.
Covered entities must revise their Notices of Privacy Practices to include:
- The right to be notified in the event of a breach of the individual’s protected health information
- The right to request that a health plan not be informed of treatment which if paid for in full by the individual and the covered entity’s obligation to comply with such a request
- That consent is required prior to the disclosure of the individual’s psychotherapy notes or prior to the disclosure of the individual’s protected health information for marketing purposes
- The right to opt out of communications for fundraising purposes
Once a Notice of Privacy Practices is updated to comply with the Omnibus Rule’s new requirements, the covered entity should redistribute the Notice to its patients.