On Jan. 17, the Department of Health and Human Services (HHS) released its long-awaited, final Health Insurance Portability and Accountability Act (HIPAA) rule, which significantly expands certain HIPAA obligations for covered entities and their business associates. HIPAA is the federal statute that governs the confidentiality and protection of a patient's protected health information.

The final rule, which was published in the Federal Register on Jan. 25, expands HIPAA obligations for business associates and their subcontractors, revises the requirements regarding the use and disclosure of patient information, expands patient rights, clarifies the content of the Notice of Privacy Practices to be provided by health care providers, modifies the breach notification requirements, and expands enforcement provisions and penalties. Covered entities and business associates have until Sept. 23 (and in limited circumstances with respect to amending business associate agreements, until Sept. 23, 2014) to achieve compliance with the new provisions contained in the final rule.

Covered entities

Covered entities are directly responsible for complying with the privacy and security obligations imposed by HIPAA. A covered entity consists of a health care provider (e.g., physician practice, hospital, pharmacy, skilled nursing facility, etc.), health plan (e.g., private health insurer, group health plan, HMO, etc.), or a health care clearinghouse (e.g., health care billing company).

In order to achieve compliance with the Final Rule, covered entities should undertake the following steps before Sept. 23:

1. Perform a “gap” analysis to determine what changes are needed to existing HIPAA policies, procedures and forms to address the final rule provisions, as well as any changes to address current HIPAA Privacy Rule, HIPAA Security Rule and HITECH Act requirements.

2. Revise existing HIPAA policies, procedures and forms as appropriate. (If you do not have any existing HIPAA policies, procedures or forms, adopt them immediately). It is important to ensure that the policies and procedures implemented accurately reflect the operations of your business and that you have taken the necessary steps to ensure compliance.

3. Update and revise existing business associate agreements to address the final rule provisions and obtain new business associate agreements as needed (e.g., for data storage providers, even if they do not access protected health information).

4. Notify business associates of their obligation to comply with the HIPAA Security Rule and certain parts of the HIPAA Privacy Rule, including the obligation to conduct a Security Rule analysis. Also, notify business associates of their obligation to obtain appropriate HIPAA agreements with their subcontractors who have access to protected health information.

5. Amend your Notices of Privacy Practices to address the final rule provisions. The amended Notice of Privacy Practices should be posted in a prominent location where it is reasonable to expect patients to see and be able to read the notice, placed on your website (if you maintain a website), and provided to patients at their first service delivery or in an emergency, as soon as reasonably practicable. In addition, the amended notice should be made available upon request to those existing patients who have already received and signed a Notice of Privacy Practices.

6. Train workforce members on the new HIPAA requirements and obligations and notify them of the changes to your HIPAA policies, procedures and forms. All training should be documented.

7. Implement, as possible, encryption technology for protected health information (especially on laptops and other portable devices) to minimize the risk of having to disclose a breach of protected health information.

Business associates

A business associate is a person or entity that provides services to or on behalf of a covered entity and, in the course of providing such services, has access to the covered entity's protected health information (e.g., attorneys, consultants, software vendors, accountants, marketers, etc.).

As the result of the Final Rule, business associates are now directly responsible for complying with certain privacy and security aspects of HIPAA. In order to achieve compliance with the Final Rule, business associates should undertake the following steps before Sept. 23:

1. Conduct a Security Rule analysis to determine the security risk areas for your business.

2. Implement HIPAA policies, procedures and forms to address your risk areas and new responsibilities under HIPAA as a business associate. It is important to ensure that the policies and procedures implemented accurately reflect the operations of your business and that you have taken the necessary steps to ensure compliance.

3. Obtain appropriate HIPAA agreements with subcontractors who perform activities on your behalf and, in that regard, have access to protected health information.

4. Train workforce members on the new HIPAA requirements and obligations and notify them of your new HIPAA policies, procedures and forms. All training should be documented.

5. Implement, as possible, encryption technology for protected health information (especially on laptops and other portable devices) to minimize the risk of having to disclose a breach of protected health information.

If you are a covered entity and/or business associate, or represent a covered entity and/or business associate, it is important that you take the necessary steps to ensure compliance with the Final Rule before Sept. 23. Failing to achieve compliance with the final rule could have serious implications and ramifications for your business.