Learn More – HIPAA Final Rule for Small Practices


When the final modifications to the HIPAA/HITECH Privacy & Security rule (also known as the HIPAA/HITECH Omnibus Final Rule) were released in January 2013, they greeted by a wide variety of emotions- from stressful confusion to blissful misunderstanding, depending on an individual’s role in the health care community. However, the September 23 compliance date is quickly approaching – which means that the time left to understand the regulations and determine how to implement the requirements is quickly waning.

If you are a small practice or individual health care provider, there are multiple areas of the Omnibus Rule that may impact your business and the way you interact with patients. The following points are just a sample of some of the changes in the Omnibus Rule; for personalized information on the Final Rule as it relates to your practice, it is suggested that you utilize an independent professional who can apply the regulations to your specific situation.

  • Business Associate (BA) definition + contracts: Subcontractors are now considered BAs, as well as any organization that has access to electronic PHI; HHS clarified that subcontractors who create, receive, maintain or transmit PHI should be considered BAs except in certain narrow and specific circumstances. The lack of a BA contract does not relieve liability but instead a BA is defined by the work they do.
  • New breach notification rules: The Final Rule provides a more objective standard to determine whether breach notification is merited based on the probability that data was compromised. You and your staff will need to know about the new procedures for reporting incidents.
  • Privacy Rule updates: Providers should update their Notice of Privacy Practices and redistribute to all patients.
  • Releasing immunization records: There are now easier authorizations for releasing a patient’s immunization records to schools.
  • Granting electronic access to health information: Providers are now required to grant patients electronic access to their health information if it is requested that way by the patient and is maintained electronically.

Understanding the implications of this rule as an individual provider can certainly be daunting. To help education providers on these topics, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Workgroup for Electronic Data Interchange (WEDI) is launching a series of co-sponsored webinars on various aspects of the HIPAA/HITECH Omnibus Final Rule. The 90-minute webinars are specifically designed for small health care providers, with a focus on practical strategies for implementing the Omnibus Rule changes within a small clinical practice.

The virtual sessions are scheduled for June 14, June 28, July 17 and July 26, 2013 from 1:00pm – 2:30pm Eastern Time (10:00am-11:30am Pacific Time) on the following topics:

  • HIPAA/HITECH Omnibus Overview of the Rule –  June 14
  • Drill down on the new HIPAA/HITECH Privacy Rule – June 28
  • Breach and Enforcement under the HIPAA/HITECH Omnibus Rule – July 17
  • Business Associates and the HIPAA/HITECH Omnibus Rule  - July 28

Registration is free of charge and available at: http://www.wedi.org/forms/meeting/MeetingFormPublic/view?id=2C09800000249.

WEDI was formed in 1991 by then Secretary of HHS Dr. Louis Sullivan and was named in the original 1996 HIPAA legislation as an advisor to HHS.

Contributing Writer

Practice Fusion draws from a community of doctors, medical experts, and digital health influencers that contribute to blog posts. Read all posts from our guest writers