HIPAA Omnibus Ruling
by Leigh-Ann Renz, 6.6.13
On January 17, 2013, the Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) released its comprehensive (563 page) “Omnibus Rule”, amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The Omnibus Rule is effective March 26, 2013, and compliance is required with respect to most provisions no later than September 23, 2013. What does this mean for you?!
We’ll be covering details about each of these items in future posts (there’s a lot of information to dissect from 563 pages!), but here are the highlights of the Omnibus Rule and how it may affect your business:
IF YOU ARE A COVERED ENTITY:
Revised Notice of Privacy Practices (NPPs): Covered entities will most likely need to create and distribute a revised notice of privacy practices informing patients/clients of their rights and how their information is safeguarded. NNPs must now include a description of the types of uses and disclosures that require an authorization under § 164.508(a)(2)-(a)(4), including most uses and disclosures of psychotherapy notes.
(What defines a covered entity? Virtually all healthcare providers, including home health, mental health, dentists, ambulance services, etc; all healthcare payers, including insurance and health plans; and all healthcare clearinghouses that process or route electronic claims.)
IF YOU ARE A BUSINESS ASSOCIATE:
Expanded Liability for Business Associates: Essentially, responsibility is being added to business associates of covered entities and their subcontractors. This means that business associates also have to ensure that their subcontractors are in compliance with HIPAA if the subcontractor creates, receives, maintains or transmits protected health information (PHI).
In addition to a long list of enhanced responsibilities, there is also a proposed rule that business associates and their subcontractors are subject to the Minimum Necessary Rule, meaning that they must “make reasonable efforts to limit [the PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
(What defines a business associate? Non-employees who perform services for a covered entity and who have access to PHI,for example: attorneys, medical transcriptionists, vendors, billing services, etc.)
- Patients/clients can restrict disclosures to a health plan if they pay in full for treatment.
- Patients/clients now have the right to receive electronic copies of their health information.
- Families have access to deceased family members’ health information.
- One of the final rules establishes “non-discrimination against consumers/patients with genetic information and prevents health plans from discrimination for underwriting purposes.”
- There is now a final rule enforcing the tiered penalties set forth in the HITECH Act.
- Changes to the Breach Notification Network: The Omnibus Rule changes the harm threshold set forth by the HITECH Act of 2009 and replaces it with a more inclusive definition: “a presumption that any acquisition, access, use or disclosure of PHI not permitted under the HIPAAPrivacyRuleis a breach unless a covered entity or business associate can demonstrate that ‘there is a low probability that the [PHI] has been compromised based on a risk assessment.’” This obviously ups the ante for both covered entities and business associates! The current threshold is in effect until September 23, 2013, and HHS has noted that it will provide future guidance on risk assessments associated with breaches.
Keep a look out for future posts providing details about the above, and check out the following resources for more information:
- The Omnibus Final HIPAA Rule Is Here
- HIPAA Omnibus Rule
- New rule protects patient privacy, secures health information
- New HIPAA Omnibus Rule: A Compliance Guide