In 2013, the federal government released an omnibus update to HIPAA's privacy and security rules (Omnibus Rule). Among other changes, the Omnibus Rule imposed new requirements for two documents routinely used by most health care providers.
A. Business Associate Agreements
First, business associate agreements must include additional provisions. HIPAA has long required health care providers to enter into privacy protective agreements with their business associates - those of their vendors or contractors who use their patient information to perform services on their behalf.
Business associate agreements must now reflect the Omnibus Rule's extension of HIPAA mandates to downstream entities. Each business associate agreement must contain a promise from the business associate that it will obligate those of its downstream contractors who receive patient information also to comply with HIPAA security and privacy rules.
Business associate agreements must also now expressly obligate business associates to comply with HIPAA security obligations, such as mandates for the protection of electronic devices used to store patient information.
B. Notice of Privacy Practices
Second, notices of privacy practices given to patients must change to reflect the Omnibus Rule's revision to HIPAA privacy protections.
A provider's notice of privacy practices must now inform patients that: (a) the provider may use the patient's information for fundraising, and that the patient may opt-out of fundraising communications (for those health care providers that fundraise); (b) a self-pay patient has a right to restrict the provider from disclosing the patient's information to a health plan, if the patient has already paid in full; and (c) the provider must notify the patient if the privacy or security of the patient's health information is breached.
The new mandates for notices of privacy practices and business associate agreements are already in effect. If a practice has not yet updated these documents, it should do so now, and also take the opportunity to double check its overall HIPAA compliance.