53 days and counting — compliance deadline for HIPAA omnibus rule quickly approaching

by Cathy Bryant

In January, the Department of Health and Human Services (HHS) released a final omnibus rule to strengthen the patient privacy protections established by HIPAA. The rules expand the individual rights of patients and tighten federal breach notification requirements.

With the new rule, physicians will potentially face more scrutiny by the federal government as well as new administrative burdens.

The rule was effective March 25, 2013, but covered entities have until September 23, 2013 to achieve compliance.

The AMA has produced a summary of the omnibus rule, recommending physicians focus on three areas:

  1. “Privacy, Security, Breach Notification policies and procedures;
  2. Notice of Privacy Practices; and
  3. Business Associate Agreements.” 1

A basic requirement of these rules: every practice must have privacy and security policies and procedures. The procedures ensure practices have addressed all the requirements and provide guidance for employees in their daily work.

By the September 23, 2013 deadline, covered entities and business associates will need to:

  • “Revise the Notice of Privacy Practices (this is applicable only to Covered Entities). Both health care providers and health plans must redistribute the new Notice of Privacy Practice, but the methods for doing that differ.
  • Enter into first-time Business Associate Agreements . . . with the entities that the Final Rule now defines as Business Associates — e.g. any health information exchange organizations, e-prescribing gateways, and other entities that transmit electronic protected health information (EPHI), as well as Patient Safety Organizations, vendors of Personal Health Records, and entities that “maintain” PHI (such as cloud computing entities).
  • Covered Entities will also need to enter into compliant Business Associate Agreements with any more familiar kinds of business associates that have a new relationship with them—for example, if the Covered Entity is changing a service provider, accounting firm or similar relationship prior to September 23, 2013. Business Associates additionally need to enter into Business Associate Agreements with all of their subcontractors that provide services involving routine handling of PHI – a brand new requirement imposed by the Final Rule.
  • Write a new data breach notification policy. The Final Rule dramatically changed the standards for determining when a breach notification is necessary.
  • Write a new policy dealing with marketing and fundraising activities that involve the use and disclosure of PHI. The Final Rule tightened restrictions on the activities that can be performed without individual authorization.
  • Write a new policy dealing with the disclosure of PHI for remuneration. The Final Rule requires individual authorization and specifies the terms of the authorization document.
  • Write a new policy dealing with a patient’s right to access PHI that is held about them in electronic format. Individuals now have rights regarding the format of produced information, and the right to direct that the electronic information go to a third person instead of only to themselves. The timing of a response to this kind of request was also changed.
  • Write a new policy about disclosing immunization records to schools. An authorization is no longer required, but the Final Rule still requires other forms of permission.
  • Write a new policy dealing with release of PHI to the family of deceased patients who are not an appointed personal representative . . . Additionally, information about individuals who have been deceased for 50 or more years is no longer considered PHI.
  • Write a new policy regarding an individual’s right to restrict use of PHI for treatment or payment purposes. The Final Rule requires Covered Entities and Business Associates to honor such requests in certain situations involving disclosure to health plans, whereas previously they could choose whether or not to honor the request.
  • Write a new policy regarding ‘minimum necessary’ uses and disclosures of PHI. The final rule emphasizes that use or disclosure of more than the minimum necessary amount of PHI is a breach that may require notification to affected individuals, DHHS, and the media.
  • Write a new policy about research authorizations regarding research protocols involving the use or disclosure of PHI. The Final Rule permits increased flexibility and consistency with informed consent practices under the Common Rule.
  • For health plans that engage in underwriting, write a new policy prohibiting the use of genetic information for that purpose.” 2

What does this mean until the Final Rule is effective?

  •  Existing HIPAA Privacy and Security rules are still in effect. Practices should be in compliance and make changes before the compliance date.
  • Breach notification rules (federal and state) are still in effect and practices should be in compliance.
  •  The Texas Medical Records Privacy Act (effective in 2012) is still in effect and practices should be in compliance. In some instances, Texas law is more stringent than federal law.
  • Texas requires all Covered Entities to train new employees on PHI by the 60th day of employment and re-train every two years. The training must be customized to your practice and the employee’s level of access.
  • The Texas Identity Theft Protection and Enforcement Act is still in effect and requires that you implement reasonable procedures to protect sensitive personal information (SPI) from unlawful use or disclosure.


At TMLT, we are updating our HIPAA resources to reflect the new requirements. Our Product Development and Consulting Services staff is also available for consultations. Please contact Stephanie Downing at stephanie-downing@tmlt.org or at 800-580-8658 ext. 4884 for more information.



1. American Medical Association. The Health Insurance Portability and Accountability Act (HIPAA) omnibus final rule summary. Available at http://www.ama-assn.org/resources/doc/washington/hipaa-omnibus-final-rule-summary.pdf. Accessed March 27, 2013.
2. Lexology.com. New compliance requirements take effect September 23, 2013; what you need to do now. Available at http://www.lexology.com/library/detail.aspx?g=7185f9a4-a82b-4fb0-9e7c-6a98ee3136e7. Accessed March 27, 2013.