Fewer Than 90 Days and Counting . . . Are You Ready for the HIPAA Compliance Deadline?

Health Law Alert

July 3, 2013
Health Law Alert

Covered entities and business associates have fewer than 90 days, or until September 23, 2013, to come into full compliance with the HIPAA Omnibus Final Rule (the “HIPAA Final Rule”). The HIPAA Final Rule details several new requirements for covered entities and business associates and requires changes in policies and procedures of covered entities and business associates. It expands the definition of “business associate” to vendors and subcontractors who may not even be aware they are covered by HIPAA; makes business associates directly responsible for keeping data safe and secure; and expands criminal and civil penalties for covered entities and business associates who violate HIPAA.

Compliance with these new requirements will require substantial time and effort. Covered entities and business associates only have a short time to bring themselves into compliance with the mandatory changes required by the HIPAA Final Rule. It is essential that policies and procedures, forms and agreements reflect both the HIPAA Final Rule’s requirements and the covered entity or business associate’s actual practices. Significant fines may be imposed for failure to comply with internal process and practice. Compliance with the HIPAA Final Rule is mandatory. The potential consequences for violations are severe and include civil monetary penalties as well as criminal penalties.

Covered entities and business associates should immediately begin to address the action items below. Note, these are only examples and are not a complete list of changes required by the Final Rule.

For Covered Entities (Providers, Facilities, Health Systems, Clearinghouses and Group Health Plans)

Business Associate Agreements

Patient Rights

Notice of Privacy Practices

Marketing, Fundraising and Sale of PHI


Breach Notification

Workforce Education and Training

For Business Associates and Subcontractors

Familiarize yourself with the requirements for business associates under the HIPAA Final Rule, recognizing that business associates who have access to PHI are directly liable for compliance with the HIPAA privacy and security rules and are subject to civil fines and criminal penalties for violations.

Business Associate Agreements

Privacy Rule Requirements

Security Rule Requirements

Breach Notification

Workforce Education and Training

How We Can Help
Hinshaw & Culbertson LLP attorneys have extensive experience developing and advising on privacy and information security programs. If you have questions or need assistance in determining how to make the requisite changes to your policies, procedures, and practices in order to come into compliance with the Final Rule, please call Michael A. Dowell or your regular Hinshaw attorney.

Download PDF

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.