The HIPAA Omnibus Final Rule changes go into effect on September 23. Covered entities have been required to provide Notice of Privacy Practices for several years. Those notices need to be revamped. The Final Rule clarifies and expands the obligation to report breach of protected health information (PHI) to patients. Covered entities must specifically notify patients of a right to be informed of breach. More importantly, there will now be a rebuttable presumption of breach unless the covered entity can show through a four-factor test that there is a low probability of PHI compromise.
There are also requirements for the notice of disclosures to health plans, marketing and sale of PHI, and the right to opt out of communications.
These are considered material changes, thus it is important to revise the notice to reflect the changes and make it available.