The Department of Health and Human Services (HHS) released new regulations in January 2013 that made important changes to the privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA). These new regulations, known as the HIPAA Omnibus Rule, implement many of the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Covered entities have until September 23 to comply with these changes.

Physician offices will, at minimum, need to review and update their business associate agreements, office privacy and security policies and notice of privacy practices.

Some of the key changes made by the HIPAA Omnibus Rule include, but are not limited to, an updated definition of a business associate, new rules surrounding certain permitted uses and disclosures of protected health information (PHI), such as the sale of PHI and the use of PHI for fundraising and marketing, and rules controlling how patients can obtain medical records that are kept by a physician electronically. It also made significant changes to the breach notification rule.

For more information and for an updated sample notice of privacy practices and business associate agreement, see the California Medical Association’s (CMA) On-Call documents #4101 “HIPAA ACT SMART: Introduction to the HIPAA Privacy Rule” and #4103 “Business Associates.” These documents are available free to members in CMA's online health law library . Nonmembers can purchase documents for $2 per page.

CMA also hosted a webinar, "HIPAA Compliance: The Final HITECH Rule," available in the resource library for on-demand playback at your convenience.

CMA has also produced a resource document, "HIPAA Omnibus Rule Compliance Frequently Asked Questions," available for download to CMA members.

Contact: CMA's Center for Legal Affairs, (800) 786-4262 or legalinfo@cmadocs.org.