Understanding the HIPAA Omnibus Final Rule
- Tips for meeting HIPAA Omnibus compliance -
By: James W. Thweatt III, Keating Muething & Klekamp
It is important to understand the major changes presented by the HIPAA Omnibus Final Rule to help ensure compliance. The compliance deadline was September 23, 2013. The Omnibus Final Rule includes sweeping changes with regard to enhancing a patient’s privacy protections.
Once records leave your hands, they should be handled with the same security as when they are with you, and that is the exact purpose of the Omnibus Rule. Designed to keep business associates and subcontractors accountable, the Omnibus Rule creates a new breach standard, clarifies the definition of a “business associate” and implements a new penalty structure mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Non-compliance comes with many risks. According to the Department of Health and Human Services (HHS), 20 percent of the HIPAA breaches affects more than 12 million patients. The Omnibus Rule ensures that anyone who handles any function of your healthcare organization’s information will be held to the same standards as you, including healthcare providers and their business associates.
Clarifying the Changes
It is important to understand the major changes presented by the Omnibus Rule to help ensure compliance. This includes the following:
- Strict HIPAA enforcement rules. The Omnibus Rule incorporates the changes to the HIPAA enforcement rules under the HITECH Act. Under these rules, there are multiple categories of violations and a tiered penalty structure with increasing penalty amounts tied to increased levels of culpability. Covered entities and business associates can expect to see increased enforcement as business associates will now be assessed civil monetary penalties for any PHI disclosures. There is a maximum penalty of $1.5 million for all violations of an identical provision within a given year.
- Definition of “business associate” and “business associate agreement” requirements. The revised definition of “business associate” now includes their service providers and entities that maintain protected health information (PHI), including companies and subcontractors that maintain, receive or transmit PHI. Also, the Final Rule modifies the content requirements of business associate agreements. As a result, covered entities and business associates will need to revise existing business associate agreements. HHS has posted a sample version of a revised business associate agreement on its website. Nevertheless, covered entities and business associates will likely want to incorporate additional protections in their agreements, such as a clause stating your business associates will comply with all present and future laws and regulations.
- Breach notification rules. The Omnibus Rule eliminates the “substantial risk of harm” standard under the breach notification rules. As a result, any impermissible use or disclosure is presumed to be a breach requiring notification, unless the covered entity or business associates (as applicable) demonstrates through a risk assessment that there is a low probability that PHI has been compromised. As modified, the breach notification rules require consideration of at least additional objective factors when conducting these risk assessments. Breach notification policies and procedures will need to be revised in response to these changes.
- PHI modifications. The Omnibus Rule prevents businesses from selling PHI without clear-cut authorization by the individual. The use of PHI for fundraising or marketing is also prohibited without the permission of the individual. The Omnibus Rule also expands the patient’s right to receive electronic records through email. Patients can request that a provider not release any information if they self-pay for the visit. As a result, health plan covered entities subject to this prohibition will need to revise their Notice of Privacy Practices and Breach Notification Policies accordingly.
Conduct a Risk Analysis
As of January 2013, HHS received over 274 reported breach incidents due to theft — the top breach cause, accounting for 52 percent of incidents. That statistic alone shows the need for the new HIPAA regulations and the benefits of conducting a risk analysis. The following steps should be included in a risk assessment:
- Consider implementing new policies and procedures. Review your existing security of protected health information. Determine how your information is transported from the warehouse to you. Is it secure in the truck? It is important to make sure your business associates have systems in place to protect PHI.
- Prevent a breach from happening. Identify any threats and vulnerabilities in your system. Look into user access controls and make sure they are properly configured. When training employees, ensure that nothing is overlooked. Make sure all HIPAA training is up-to-date with the new rule and vetted through lega counsel. By ensuring a strict and accurate training program, your business, employees and patients are better protected.
- Contain information. Set up safeguards to identify who accesses a patient’s records. Monitor who is going into a patient’s records and determine if they really need to have access to that information.
- Correct violations. Establish policies make individuals breaking rules and regulations accountable so you are not setting yourself up for disaster. It is also important to mitigate your security risk, including if a portable device is stolen. Work with IT to set up regulations to prevent someone else from getting into the patient information on a stolen device.
Just as protecting the privacy and security of health information is a continuous process, you should also review your risk assessment periodically to make sure you have addressed responses to potential breaches in PHI. Set up a schedule to make sure you are staying current and updated to ensure you have addressed responses to potential breaches in PHI. If you see any holes in your system, put steps in place to prevent a breach and remain compliant.
James W. Thweatt III is a partner at Keating Muething & Klekamp PLL. For more information, please visit www.kmklaw.com.