Beginning Next Week: InsideCounsel will become part of Corporate Counsel. Bringing these two industry-leading websites together will now give you comprehensive coverage of the full spectrum of issues affecting today's General Counsel at companies of all sizes. You will continue to receive expert analysis on key issues including corporate litigation, labor developments, tech initiatives and intellectual property, as well as Women, Influence & Power in Law (WIPL) professional development content. Plus we'll be serving all ALM legal publications from one interconnected platform, powered by, giving you easy access to additional relevant content from other InsideCounsel sister publications.

To prevent a disruption in service, you will be automatically redirected to the new site next week. Thank you for being a valued InsideCounsel reader!


Top tips for maintaining compliance with the latest HIPAA Omnibus rule

Recent report details top tips for ensuring your office is HIPAA compliant

In the healthcare industry, keeping patient information safe is an ongoing challenge, particularly in the digital age when data can be compromised due to unsecure networks and data breaches. 

Six months ago, the HIPAA Omnibus rule was passed and put into effect to provide additional protection for patient information. And while it is imperative to keep patient and client information confidential and protected, not complying with the latest compliance standards can cause penalties from the Office of Civil Rights.

A recent AE Tech Group report outlines five checkpoints to ensuring your establishment is HIPAA compliant:

Business associate accountability

According to the report, any company that sends or regularly accesses patient data is a business associate. Each associate is responsible for protecting the data they are entrusted with, which creates a sizeable liability for employees and employers alike. In order to protect yourself as an employer, make sure you have each employee sign a Business Associate Agreement that clearly outlines their responsibilities.

Patient access

The omnibus states that patients must have access to their medical records in whichever electronic format they prefer, even if the patient’s requested format creates a security risk. Hospitals and providers are only obligated to let the patient know about the increased risk, according to AE Tech Group.

Marketing partners

Providers cannot partner with a third-party service for marketing purposes unless they first receive information from each patient. In addition, if the third-party needs access to patient data, the patient must give permission before they are able to access any records. Marketing agreements that were already in place before the Omnibus rule have until September 23, 2014 to obtain permission.

Protected data for the deceased

After a patient passes away, the only people that providers can release healthcare information to is the persons family members, close friends or anyone that the patient indicated was involved in taking care of them. After a patient has been deceased for over 50 years, his or her data is no longer available.

The role of a risk analysis

The most effective way to measure compliance is to perform a regular risk analysis. If a data breach were to occur, the Office of Civil Rights will want to see evidence that the company performed a risk analysis, according to the report.


For related news on compliance regulations, read these recent stories:

New year & new you: In-house lawyer as in-house innovator

Former SEC enforcement co-director lands new litigation gig

WomenCorporateDirectors and Spencer Stuart enter partnership

Survey: Most organizations accepting credit cards don't maintain PCI security standards

Contributing Author

Stefanie Mosca

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.