Mark Your Calendars For September 23rd HIPAA Compliance Deadline

Attention HIPAA covered entities and business associates. . . the deadline for compliance with the final HITECH Omnibus Final Rule is September 23, 2013.

The Omnibus Final Rule was released on January 25, 2013 and requires updates and revisions to a number of documents and policies utilized and maintained by healthcare providers.

First, an organization’s “Notice of Privacy Practices” (or “Privacy Notice”) must include several updates for all new patients.

The definition of a “business associate” has also expanded, and with it, the business associate is now directly liable for compliance with HIPAA, and faces direct liability under the Omnibus Final Rule. In connection with this, business associates must enter into written agreements with all subcontractors that assist with activities involving PHI of the business associate. This means that business associate agreements must be updated to conform to these new requirements.

According to the Omnibus Final Rule, every impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised. Any breach requires notification to affected individuals and to the Secretary of HHS in accordance with requirements that went into effect in 2010.

Upon request, a covered entity must provide patient medical records in the format requested, within 30 days.  The patient record must be provided in the format requested, if producible, or if not, in readable electronic form. This means that providers are now required to grant patients electronic access to health information if it is requested that way by the patient and is maintained electronically. Covered entities must also produce this information to a third party designated by the patient in a proper signed writing.

Updates and revisions will be needed within each organization’s policies, procedures, and business associate agreements to conform to the September 23rd deadline.  Compliance by the September 23, 2013 deadline is important because providers face increased fines and penalties for noncompliance. Penalties are now divided into four (4) tiers, depending on the level of knowledge and negligence about a particular violation, with the potential for $1.5 million in fines per violation.

For more information about compliance with the Omnibus Final Rule and the September 23rd deadline, contact Susan Ziel at, Mark Morrell at, Jaya White at or Meghan McNab at