HIPAA Omnibus Rule
Background and Recent Updates
At the beginning of 2013, the U.S. Department of Health and Human Services released a final HIPAA omnibus rule. The details of this rule are included within 563 pages and addresses multiple issues within. The rule had actually been promised for publication one year earlier, but business associates and covered entities affected by the rule still have only eight months to comply with the established requirements. There are five major areas of change for compliance after a thorough review of the entire rule.
Business Associates are now directly liable for increased penalties for noncompliance. This includes actions of their own and the actions related to negligence and non-compliance of any subcontractors.
Increased levels of vulnerability for business associates makes it critical that all players are compliant at all times.
Any subcontractors who create, maintain, receive, or transmits protected health information will be protected by this new rule. This generates a “chain of assurances and liability” that follow protected health information wherever it goes, outlining plans for breaches of that information as well.
An exception to this rule involves who can be considered a Business Associate. A person is considered a Business Associate only in scenarios where a person or entity is conducting any function or activity regulated by HIPAA Rules on behalf of a Covered Entity. (An example would include payment or healthcare operations individuals).
Breach Notification Requirements
HITECH was further outlined to explain the details associated with breach notification requirements. Specific details were provided regarding what breaches of information are required to be reported to the government.
Depending on the situation, it may be required that individuals reported breaches of unsecured health information to the Department of Health and Human Services. Exact scenarios are described in greater clarity within the rule itself.
The rules regarding limitations of disclosures for provider fund-raising efforts have been tightened, and all involved parties should ensure that they are in compliance with these rules at all times.
Now, patients are eligible to request a copy of the electronic medical record in electronic form. In addition, when patients pay by cash, they can instruct the provider not to share any information about their treatment to the health plan provider.
There are new protocols in place which help to give patients more options and more power regarding their healthcare information.
The final omnibus rule became effective on March 26, 2013. Covered entities and Business Associates were required to meet compliance with the rule 180 days after this date. One of the strongest impacts for this change in the omnibus rule is that it is clear that is makes the Omnibus Rule the “go to” location for Health and Human Services guidance on a number of issues related to patient information. When in doubt, industry professionals should certainly consult the Omnibus Rule for further clarification about their responsibilities.
The omnibus rule contains a great deal of industry-critical information with regards to healthcare data, and professionals in the field will gain much by consulting the source itself when questions arise.
For healthcare professionals, the breach notification processing and elements used to identify “cost” in processing requests from patients will be the two biggest changes. Staying on top of changes in relevant healthcare rules, especially with regard to HIPAA, is critical for anyone playing a role in the healthcare industry. As electronic medical records and other technological changes are embraced, rules and regulations regarding these items and particularly patient data, are likely to be developed. All covered entities and Business Associates are responsible for understanding pending changes and ensuring that their organizations are compliant with all regulations.