Main navigation

June 2013 Bulletin: Malpractice

HIPAA Omnibus Rule (The Final Rule)What do medical practices need to do?

Denise Condron, Associate Director of Clinical Risk Management, CMIC

—Denise Condron, Associate Director of Clinical Risk Management, CMIC

In January 2013 the Office of Civil Rights of the Department of Health and Human Services published its Omnibus Final Rule (Final Rule) for the Health Information Technology for Economic and Clinical Health (HITECH) Act under the Health Insurance Portability and Accountability (HIPAA) Act. Regulations became effective March 26, 2013, Covered Entities have until September 22, 2013 to have their final changes in place.

What do medical practices need to do?

  1. In order to make necessary changes, first you should understand what is considered a Covered Entity (CE) and what is a Business Associate (BA).
    • Covered Entities are healthcare providers, payers and clearinghouses. They are allowed to share data and are held directly liable for data breaches.
    • Business Associates support Covered Entities and have access to patient data. Business Associates cannot share data. Business Associates are now being held to the same standards as Covered Entities. Examples include:
      • Anyone who has physical access to your office, such as cleaning staff
      • Anyone who accesses data, such as IT consultants, transcriptionists
      • Organizations that maintain data are now BAs, including EHR vendors, Cloud services (email, remote servers, back-up), paper storage facility
      • Consultants, lawyers, accountants
  2. When you have this understanding, make a list of all BA's with which your office works. It may be helpful to brainstorm with multiple employees. Notify BAs you will send them a new agreement to sign and return by September 2013.
  3. Update your Business Associate Agreement. For a sample go to:
  4. Update your Notice of Privacy Practices (NPP) to include:
    • Method of notification in the event of an improper disclosure of Protected Health Information (NPI)
    • How the NPP will be distributed including the electronic notice
      • The revised NPP must be provided to all new patients and current patients who request a copy
      • The electronic version must be updated on the practice website
      • Consider posting a memo that the NPP has been updated in your waiting room, exam rooms and/or on your website
      • Consider leaving printed copies of the NPP on the patient registration desk
  5. Update your HIPAA Privacy Policies and Procedures to include:
    • Changes to the definition of Protected Health Information (PHI)
    • Access to records
    • Electronic storage of PHI
    • Disclosures
    • Marketing
    • Notification to caregivers
    • Research
    • Decedents
    • Immunization records
    • Changes to the disclosure of psychotherapy notes requiring an individual's written authorization
    • Changes to the release, restrictions and electronic access (these vary depending on the intended use)
  6. Update your HIPAA Authorization Release Form

Remember to date revisions to documentation including the electronic version posted on the practice website. Review changes with staff and document training sessions.

Denise Condron, Associate Director of Clinical Risk Management, CMIC CMIC, established as a mutual company in 1984, is a leading doctor-owned provider of professional liability insurance and services to doctors, hospitals and healthcare professionals. CMIC is headquartered in Glastonbury, CT and serves New England exclusively. For more information visit CMIC’s website at

Contact PIAM

  • Telephone Numbers
781-434-7525 Insurance All Departments
781-434-7398 Medigap, MMS Member Benefits, Health, Financial Services, and Long-Term Care
  • Fax Number
  • 781-434-6929