May 02, 2013

In this client alert, Jenner & Block Partners Jerry Oshinsky, Linda D. Kornfeld and Mary Ellen Callahan, and Associate Kirsten C. Jackson examine important modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus Rule). These changes became effective on March 26, 2013, and healthcare providers have until September 23, 2013, to comply.  The Omnibus Rule greatly expands the definition of “business associates” including subcontractors and cloud service providers, and all business associates are now required to comply with the HIPAA Security Rule, including performing a HIPAA security risk assessment. The authors also advise healthcare providers to begin examining their insurance portfolios as soon as possible to determine whether these new HIPAA-related exposures may be covered by insurance.