by Ann F. Triebsch

(Updated January 27, 2013)

On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s enforcement capabilities. The regulations are published in the January 25, 2013 Federal Register, and will be effective on March 26, 2013, with compliance required by September 23, 2013.

We will discuss the highlights of the new regulations, topic by topic, in this blog over the next few weeks, but we begin with a key piece of information relevant to existing business associate agreements. The new regs substantially increase the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. Business associates may also be liable for increased penalties for noncompliance based on the level of negligence, up to a maximum penalty of $1.5 million.

All of the new requirements will need to be reflected in business associate agreements (BAAs). If your current business associate agreement was signed on or before January 24, 2013, it will be deemed HIPAA compliant through September 23, 2014 (at which time the agreement will need to have been amended for compliance with the Omnibus Rule). After January 24, 2013, any new BAAs signed should comply with the Omnibus Rule, and be in place by September 23, 2013.

To read the Omnibus Rule, click here.