Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements.  In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on September 11, 2013, defendant HHS stated that it decided not to enforce the Omnibus Rule’s restriction on “remunerated refill reminders” until November 7, 2013.  HHS expects to issue guidance by September 23, 2013 on the amount of financial remuneration that will be considered “reasonably related to the covered entity’s cost of making the communication” so as not to cause refill reminders or other communications about drugs or biologics to be treated as “marketing” communications that require an individual’s prior authorization. 

So while covered entities and business associates (and their counsel) have a short reprieve with respect to this one Omnibus Rule prohibition, there are plenty of other new provisions that cannot be ignored.  Between today and September 23, 2013, we will post 10 tips that will help our readers bring their HIPAA policies and procedures, forms, and contracts up-to-date before the upcoming compliance deadline.


Check to make sure you have adequate “red flags” in place to comply with patient-requested restrictions on disclosure.

Provider covered entities must agree to an individual’s request to restrict disclosures of the individual’s PHI to a health plan when the PHI relates solely to items or services for which the individual (or someone on behalf of the individual, other than the health plan) has paid the covered entity in full – as long as the disclosure is not “otherwise required by law.” 

The provider’s Notice of Privacy Practices should be amended so that patients know they have this right, and providers may want to consider creating a separate form that can be given to for patients who want to pay “out of pocket” so that their PHI is not sent or made available to their health plan. This form could clarify the provider’s obligation and set forth some of the exceptions that might apply (such as where the provider participates in a network and is not permitted, under the contract, to treat the patient as out-of-network, or where the patient wants to pay for just one service that is part of a bundle of services).  The form could also make it clear that the provider is not required to tell other providers about the restriction, even where subsequent items or services appear related to the requested restriction.