When the Department of Health and Human Services (HHS) released the initial set of HIPAA rules in 2009 and 2010, the rules were not intended to be a “final” set of rules, but merely a proposed set of rules. Industry experts expected these rules to become effective, or “final”, sometime in 2012 or later, but were unsure of any further changes that might be made.
Finally, on January 13, 2013, a final set of rules (the omnibus Final Rule) was released. HHS also used its regulatory authority to make modifications to some provisions of the Act to make the rules consistent with other similar regulations. The omnibus Final Rule included four major provisions:
- Final rule implementing modifications to the HIPAA Privacy, Security and Enforcement Rules.
- Final rule implementing changes to the HIPAA Enforcement Rule.
- Final rule implementing changes to the Breach Notification for Unsecured Protected Health Information.
- Final rule modifying the HIPAA Privacy Rule.
The following are some of the important dates regarding implementation of the new rules:
- March 26, 2013: Effective date of the omnibus Final Rule.
- September 23, 2013: Covered entities must comply with most of the new Rules’ provisions.
- September 25, 2013: Disclosures of PHI become subject to the new restrictions on sale of PHI.
- September 22, 2014: Covered entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the Rules; the new Rules also apply this requirement to Business Associates’ agreements with their covered subcontractors (or sub-BAs).
If your company has already begun to implement some of the interim rules issued in 2009 and 2010, you're in good shape! You will have less work to do to ensure your company is compliant with the final rules. If you haven’t started to evaluate your level of compliance, there’s no better time than the present.
Click here for Part 1 of this HIPAA/HITECH Compliance series, that covers:
- When and why did HIPAA/HITECH Compliance start?
- Is my company affected by these new rules?
Click here to read Part 2 of this blog series:
Skoda Minotti Technology Partners can provide a HIPAA Compliance Readiness Assessment to determine where your organization is deficient or vulnerable in preparation for the Final Rules. For more information on our HIPAA/HITECH Compliance services, contact Brian Rosenfelt in Skoda Minotti Technology Partners by calling 440-449-6800.