HIPAA Omnibus Rule and Privacy Requirements
The final rules addresses multiple privacy issues related to uses and disclosures of PHI, such as:
• Communications for marketing or fundraising,
• Exchanging PHI for payment,
• Disclosures of PHI to persons involved in a patient’s care or payment for care
• Disclosures of student immunization records.
Individuals now have new rights to restrict certain disclosures of PHI to health plans and to request access to electronic PHI (ePHI).
All of these changes will require you to update or modify:
• Notices of privacy practices
• Research authorizations
• Internal policies
• And Training programs may require updates to address the rule modifications.
As per the HIPAA Omnibus Rule, business associates and subcontractors must comply with the Security Rule in full. Given the daunting nature of achieving Security Rule compliance.
To implement the Genetic Information Nondiscrimination Act (GINA), HHS has included “genetic information” as a type of health information subject to HIPAA rules, and has imposed restrictions that will prohibit health plans from using genetic information for underwriting purposes and from employers using to in the hiring and promotion process.
It is obvious that this new rule will require the health care industry to educate patients with regards to their privacy and disclosure rights. Patients will need to know how their information is used and disclosed, and how to submit complaints pertaining privacy violations. The HIPAA Omnibus Rule will require healthcare providers to update their Business Associate Agreements, attain assurances form Business Associates that they are complying with the HIPAA Security Rule and that they have updated their Notice of Privacy Practices. The entities should also try to better understand HIPAA requirements so that they are aware of their risks and responsibilities towards their patients.