Monday, August 26, 2013 September 23 HIPAA Deadline Approaches Practitioners have until September 23 to comply with provisions of the final rule that earlier this year extensively modified the privacy, security, and enforcement regulations established under the Health Insurance Portability and Accountability Act of 1996, or HIPAA. The final rule expanded many of the requirements to business associates of covered entities that receive protected health information, such as contractors and subcontractors. If a covered entity did not have a business associate agreement in place by January 25 this year that was compliant with the previous HIPAA regulations, it must enter into one by September 23. However, entities that did have HIPAA-compliant business agreements place as of January 25 may get a 1-year extension to revise their agreements, as long as they did not or do not renew those agreements between March 26 (the date the new rule took effect) and September 23. Any agreement that is renewed after September 23 must comply with the new rule, which also increases the penalties for noncompliance to a maximum of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. The new rule also expands individual rights under HIPAA, and by September 23 these rights must be added to the Notice of Privacy Practices (NPP) that providers give to new patients. For example, patients can ask for a copy of their electronic medical record in an electronic form, and they can instruct their provider to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. The rule also sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals' health information without their permission. Association members can access the document on the Health Information Technology webpage under "APTA Summaries" and APTA's HIPAA webpage.