Are you a HIPAA covered entity? If so, the Department of Health and Human Services' modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules require that covered entities come into compliance with the Rule's requirements by September 23, 2013.
It is important to note that HIPAA's Privacy and Security Rule requirements apply not only to health care providers as covered entities, but also to health plans – which includes, as a general rule, insured and self-insured group health plans, dental and vision plans and employee assistance plans and flex spending accounts. While employers are not considered covered entities under the Rule, employers are nonetheless responsible for ensuring that any covered health plans meet the Rule's requirements.
The Rule requires, among other things, that covered entities modify their Notice of Privacy Practices to incorporate some of the major changes to the rule, and redistribute those Notices on or before September 23, 2013. Covered entities' privacy and security policies should also be audited to ensure that they contain the components required by the Rules (for instance, breach investigation and notification policies must be updated and modified). Finally, covered entities must make sure that any business associate agreements are modified and updated and that the covered entity has accurately identified those entities that must sign business associate agreements with the covered entity.
If you need assistance with implementing these policy changes, auditing your current policies to make sure you are in compliance, or have questions as to whether or not you are a covered entity, please contact Kim Blankenship.