Home > Legal Library > Article

Join Matindale-Hubbell Connected

The Deadline for Compliance with the HIPAA Omnibus Rule is September 23, 2013. Are You Ready?

Eleanor (Miki) A. Kolton
Greenberg Traurig, LLP - Washington Office

August 13, 2013

Previously published on August 12, 2013

The HIPAA Privacy Rule and portions of the HIPAA Security Rule were dramatically amended by an omnibus rule published by the Department of Health and Human Services in January 2013. Highlights of the changes that need to be made by covered entities (CE) and business associates (BA) are:

  • Changes to the Notice of Privacy Practices (NPP) and medical records release forms. In particular the NPP needs to apprise the individual that they will be informed if their protected health information (PHI) is breached;

  • Business associate agreements (BAA) need to reflect that BAs are now directly liable for compliance and enforcement of HIPAA rules and indicate that BAs will obtain written assurance of compliance from downstream contractors and vendors; and

  • BAs must put into place policies and procedures for compliance with privacy and security rules.

The deadline for CEs and BAs to come into compliance with the new rules is September 23, 2013. CEs and BAs must start to do the following:

  • Modify BAAs and policies and procedures to reflect changes to the breach notification rules, which includes ensuring the new four factor risk assessment is met;

  • Modify BAAs and policies and procedures to address the prohibition on the sale of individuals PHI without permission;

  • Modify and implement new policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities;

  • Modify BAAs and policies and procedures to address the expanded rights of individuals to restrict disclosures of PHI;

  • Modify BAAs and policies and procedures to address expanded rights of individuals to receive copies of their PHI, including electronically; and

  • Make sure personnel are trained on new requirements and updated policies and procedures.

Companies should consider the following to ensure compliance by the September 23, 2013 deadline:

  • Implementation or review of an existing HIPAA Privacy Policy Manual, including policies and procedures and forms such as the NPPs and releases of health information form;

  • Preparation of a new or revised BAA form (which includes, but is not limited to, addressing downstream contractors);

  • Implementation or review of an existing HIPAA Security Policy Manual, including guidance for performing a risk assessment and model polices; and

  • Implementation of workforce training.


The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.

View More Library Documents By...

Greenberg Traurig, LLP Overview