Guide to 2014 Omnibus Compliance
by Leigh-Ann Renz, 1.9.14
How does HIPAA Omnibus apply to mental & behavioral health?
HIPAA affects all forms of medical care, including mental & behavioral health, ABA, speech therapy, OT, and PT. In 2013, HIPAA laws were updated in a revision known as Omnibus that went into effect on 3/26/13. Whether you accept Medicaid/Medicare, insurance, or are only self-pay, HIPAA Omnibus applies to your practice.
Omnibus compliance has been required since 9/23/13, and it has been predicted that failure to comply will catch practices unaware in 2014. With hefty penalties / criminal charges at stake, you must ensure that your organization is up-to-date with Omnibus. If you missed the deadline, here’s a quick guide to getting caught up and compliant:
1. Get informed about Omnibus
Make the research investment to get up to speed, and, as you indentify new practices to put in place, ensure that all of your staff receives the necessary education & training to secure compliance. Check out our HIPAA Resource Center for helpful reference guides and complimentary tools.
If you don’t already have someone who can help you decipher the new requirements, this would be the time to secure a resource like a HIPAA compliance officer to make sure you’re covering all your bases. This could be someone in your organization who will attend trainings, conduct heavy-duty research, change practice procedures as needed, and facilitate internal audits; or a reputable outside consultant.
2. Update your Notice of Privacy Practices (NPPs)
Covered entities (CEs, that’s you!) will need to create and distribute a revised notice of privacy practices informing patients / clients of their rights and how their information is safeguarded. NNPs must now include a description of the types of uses and disclosures that require an authorization under § 164.508(a)(2)-(a)(4), including most uses and disclosures of psychotherapy notes. Check out our step-by-step NPP guide.
3. Update your contracts with BAs (Business Associates)
BAs are non-employees who perform services for a covered entity and who have access to PHI (protected health information); for example: attorneys, medical transcriptionists, vendors (such as PIMSY EHR!), billing services, etc. Under Omnibus, BAs are now required to be HIPAA compliant. That means that anyone you do business with who has access to your clients’ PHI is now sharing responsibility and liability for breaches. Update your BAA (business associate agreement) to specify how the BA is authorized to use that information and identify limitations.
4. Protect clients’ PHI
Whether it’s on paper, a laptop, tablet, phone, or any other format, it’s your responsibility to ensure this data remains protected. If you’re using an EMR, the system itself should provide a high level of protection and help reduce the risk of breach. Regardless of EHR, you need to insure that PHI is protected across the board, on all devices and with all staff members.
5. Conduct HIPAA Risk Assessments
CEs and BAs must conduct risk assessments, and your HIPAA compliance officer should be making sure that the assessment data is analyzed and organized in case of a breach. This will help you mitigate and avoid penalties. See # 7 below for more details. For small businesses and practices, rely on parent organizations or even government programs to help you conduct risk analysis.
6. Restrict PHI disclosures
Omnibus requires that health care providers let individuals know that they can restrict certain disclosures of PHI to a health plan if they have paid for the health care item or service out-of-pocket in full. For example, if someone is being treated for drug abuse, they can request that this be withheld from their health plan, if they pay out-of-pocket.
As a provider, you have to make sure that this data is being sequestered: how will your office handle this? Do you have all of your staff check a master list first to see if a client is paying for services out of pocket and then they move on to the usual records, making sure that the client’s privacy is protected? The data will still need to be a part of the client record, for safeguards such as drug to drug interaction alerts, but still sequestered from the rest of the chart. This is much easier if using an enterprise level EHR, but you need to have a secure plan in place, regardless.
7. Update incident response and breach notification processes
Update your incident response and breach notification processes to incorporate the Omnibus modification from a “risk of harm” standard to a “presumption of breach” standard; and to include the four factor assessment detailed below. This goes along with the Omnibus change of providers now being presumed guilty of harm when data is breached.
CEs and BAs must examine the probability that PHI has been compromised based on a risk assessment that would be performed following any security breaches. The risk assessment looks at: 1) nature and extent of PHI involved; 2) to whom the PHI may have been disclosed; 3) whether PHI was actually viewed or obtained; and 4) The extent to which the risk to the PHI has been mitigated (for example, if someone found your laptop containing a list of all current clients, assurance from them that this information will not be further used or disclosed).
If the risk assessment fails to indicate that there is a low risk that the PHI has been compromised, breach notification is mandatory. This risk assessment should be documented in your records for all potential breaches.
Check out more tools and tips in the PIMSY HIPAA Resource Center, and see Practice Manager Solutions for detailed options.
See more about PIMSY EHR and how it can enhance compliance.
Disclaimer: Ultimately, it is the responsibility of each practice to ensure HIPAA compliance, including the Omnibus revisions. PIMSY EMR/SMIS has gathered information from various resources believed to be authorities in their field. However, neither PIMSY EMR/SMIS nor the authors warrant that the information is in every respect accurate and/or complete. PIMSY EMR/SMIS assumes no responsibility for use of the information provided. Neither PIMSY EMR/SMIS nor the authors shall be responsible for, and expressly disclaim liability for, damages of any kind arising out of the use of, reference to, or reliance on, the content of these educational materials. These materials are for informational purposes only. PIMSY EMR/SMIS does not provide medic al, legal, financial or other professional advice and readers are encouraged to consult a professional advisor for such advice.