• January 28, 2013 | Author: Ann Feldkampt Triebsch
  • Law Firm: Wyatt, Tarrant & Combs, LLP - Louisville Office
  • The rumors last week were true - the new HIPAA regs were released on January 17 by the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), implementing the HITECH Act and the Genetic Information Nondiscrimination Act of 2008 (GINA)! The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s enforcement capabilities. The regulations will be published in the January 25 Federal Register, and will be effective on March 26, with compliance required by September 23.

    We will discuss the highlights of the new regulations, topic by topic, in this blog over the next few weeks, but we begin with an urgent piece of information. The new regs substantially increase the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. Business associates may also be liable for increased penalties for noncompliance based on the level of negligence, up to a maximum penalty of $1.5 million.

    All of the new requirements will need to be reflected in business associate agreements (BAAs). But you can still sign your current business associate agreements through January 24 (this Thursday), and they will be deemed HIPAA compliant through September 23, 2014 (at which time they will need amending). After January 24, you will need to make sure any new BAAs signed comply with the new rule, and are in place by September 23, 2013. So if you need to put a BAA in place but have not made it a priority, do so today and buy yourself some extra compliance time!