The 180 days period for compliance with the amended HIPAA ends on 23rd September 2013. The period commenced on 26th March 2013 when the new rules became effective. Those who have set in motion the procedures for compliance will be comfortable. Those who have not initiated the exercise will need to hurry up with the tasks. Here is a quick survival guide for those who are gearing up to meet the deadline!

Remember the effective dates. It may be a good idea to remind your organization of the key dates, repeatedly, by displaying the following table at a prominent place.

Date Task to be completed
26th March 2013 The rules became effective
23rd September 2013 Compliance with rules becomes mandatory
25th September 2013 Restrictions on sale of Personal Health Information (PHI)
22nd September 2014 All business associates (including sub contractors) obliged to comply with new HIPAA rules


Further, a summary of the rules to be seriously reviewed (detailed as under) may be displayed prominently as a reminder:

  1. Definition of business associate has been modified
  2. Breach notification rules have been modified
  3. Individual’s rights with regard to their PHI have been enhanced
  4. Circumstances under which covered entities are subject to HIPAA
  5. Fund raising restrictions

The following Action Points may be considered:

  • Make an inventory of all persons who can be categorized as “Business Associates” under the new rule and review the agreements with them. The agreements will have to be modified to comply with the new rules.
  • Remind all Business Associates to comply with the new rules
  • Ensure that they do not use or disclose PHI in contravention of the amended HIPAA rules.
  • Disclose PHI when mandated by law.
  • Initiate update cycles with Business Associate Agreements to ensure that all Business Associates are up to date on their agreements by September 22, 2014.
  • Ensure distribution and redistribution of updated “privacy notices” as mandated.
  • Review the rules for the investigation and response to potential breach in the context of the lowered threshold for notification and the nature and extent of PHI involved.
  • Implement processes for the conduct and documentation of risk assessments and probability of breach.
  • Review and ensure that all individual rights are safeguarded in sync with the new rules of HIPAA

Note that the implementation requires concerted effort and that HHS may issue further guidance on many of the above action points.