Countdown to Enforcement! Are You HIPAA-Ready for September 23, 2013?

Authors:  Joy Kosiewicz & Isabelle Bibet-Kalinyak; Brouse McDowell (Ohio, USA)

Health care entities now have less than six weeks to comply with the HIPAA Omnibus Rule.  September 23, 2013 is the deadline for full compliance. Included is a useful checklist to assist you in meeting the deadline.

Update and Distribute Your HIPAA Notice of Privacy Practices

1.    Update: Make sure your HIPAA Notice of Privacy Practices contains:

  • A description of the types of uses and disclosures that require an authorization, specifically including, as applicable, marketing, psychotherapy notes, and disclosures that constitute a sale of protected health information (“PHI”).
  • The individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service.
  • A statement that the covered entity must notify affected individuals following a breach of unsecured PHI.
  • A statement that the individual may be contacted for fundraising purposes and has a right to opt out of such communications, if applicable.
  • A statement that the health plan is prohibited from using or disclosing genetic information for underwriting purposes, if applicable.

2.    Distribute: Health care providers must (1) distribute the Notice to all new patients; (2)  post the Notice in a clear and prominent location at all delivery sites and on their website; and (3) make the Notice available at all delivery sites and upon request from an individual.  Health plans must (1) either prominently post the Notice on their website or provide individuals with the Notice and (2) distribute the Notice in their next annual mailing.

View the entire checklist.