Understanding the HIPAA Omnibus Rule is likely something you have been working on since the Federal Register published the 138 three-column pages on January 25, 2013. The deadline for compliance is required with respect to most provisions no later than September 22, 2013.
The final rules address multiple privacy issues as well as some changes to the definition of “business associate” and the direct application of the Privacy Rule to business associates and their subcontractors. The final rule expands the individual right of patients and buckles down on the consequences physicians will face when patient information is breached. Practices could face penalties ranging from $100 to $50,000 per violation depending on culpability and an annual maximum cap of $1.5 million on a per provision basis. Business associates and subcontractors are directly liable for their violations, but covered entities also can be penalized for violations. Compliance reviews will be conducted by the Department of Health and Human Services (HHS) if deliberate negligence is shown following a preliminary review of the facts.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
-HHS Office for Civil Rights Director Leon Rodriguez
Don’t let the sweeping changes intimidate you. Instead, stay informed on the changes and prepare for what is to come. A few changes worth noting are:
Business Associate definition is essentially a company or any person who is not a member of the workforce for the covered entity but has access to PHI. Contractors and subcontractors are now considered business associates. Typical Bas in a physician office practice include vendors involved in creating or maintaining the practice’s medical records, billing service, answering service, practice management consultants, and possibly attorneys if they need access to PHI.
Not only will the HIPAA audits be more frequent but the auditors will be incentivized to find security problems. Therefore, auditors will be digging deep to find any and all security holes.
A breach now covers the risk of an event rather than just the event. No longer do you need to worry about losing the laptop but also what could happen if you lose it. Practices need to focus on preparing for the worst possible scenario as well as avoiding the worst possible scenario.
Patients have the right to receive a “machine readable” copy of portions of the EHR related to him/her. Physicians cannot charge a cost for “retrieval” of this information but can charge the actual cost of responding to the request. The response time is lessened to 30 days but some states require faster responses.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The final rule may be viewed in the Federal Register here.