The U.S. Department of Health and Human Services (HHS) has released the much-awaited Omnibus Rule with modifications to HIPAA as required by the HITECH Act of 2009.  The HIPAA Modifications include:

• Strengthening requirements on Business Associates and Business Associate Agreements including revised definitions on who is a Business Associate
• Increasing the rights of individuals to gain access to their health information and control over how the information is disclosed
• Strengthening enforcement of compliance with the HIPAA Privacy and Security Rules
• New limits on the use of Protected Health Information for marketing and fundraising activities
• Modifications to the interim Breach Notification Requirements

These updates will require a notable amount of work for covered entities to be compliant by the deadline of September 23, 2013.   Actions that covered entities should consider include:

• Perform a gap analysis to determine what policies and procedures must be revisited
• Revise privacy and security policies and procedures to bring the organization into compliance
• Revise breach notification and security incident response procedures
• Increase efforts to encrypt PHI
• Amend and distribute Notice of Privacy Practices
• Update authorization forms as necessary
• Train workforce and promote ongoing culture of security and compliance
• Revise and renegotiate Business Associate contracts
• Ensure Risk Assessments and Compliance Programs are up-to-date

The HHS news release can be found here: http://www.hhs.gov/news/press/2013pres/01/20130117b.html

For more information, visit the Health and Human Services Web site or contact PA REACH for additional resources.  PA REACH will post notices as additional information and informational Webinars become available.

​