The government issued comprehensive, final Omnibus Regulations addressing HIPAA's privacy and Security Standards. These rules require covered entities to assess security concerns.
The new rules are effective March 23, 2013, but covered entities have until September 23, 2013 to document full compliance. Employers that sponsor group health plans subject to HIPAA should start to take action now for compliance with the Omnibus Rule.
Specifically, the following action items must be addressed:
- HIPAA Policies and Procedures. Review and revise to comply with new changes.
- Notice of Privacy Practices. Update to incorporate new disclosure rules then distribute.
- Privacy Rights Forms. Update for new changes.
- Business Associate Agreements. Enter into Business Associate Agreements with third parties who provide data transmission of electronic protected health information (ePHI).
BAS will be taking a proactive approach to the new business associate agreement requirements. In many situations, BAS is not a business associate because it provides services on behalf of the employer and not the group health plan which is the covered entity subject to HIPAA. However, to the extent BAS is considered a business associate, BAS will be reaching out to clients with a format Business Associate Agreement for signature that complies with the Omnibus Rule. Look for a BAA in the coming months.
