The HIPAA Omnibus Rule
The HIPAA Omnibus Rule was finalized by the Office for Civil Rights (OCR). The Office of Management and Budget (OMB) approved the final rule and subsequently published it in the Federal Register. The Federal Register has published the final Omnibus rules written by the U.S. Department of Health and Human Services (HHS) that will modify the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The United States Government’s requirement to implement Electronic Medical Records and Health IT compliance has prompted the US Government to adopt the long awaited HIPAA Omnibus Rule.
The modifications implement most of the privacy and security provisions of the HITECH Act and relevant provisions of the Genetic Information Nondiscrimination Act (GINA). The rule changes are not surprises but are very impacting and will change the responsibilities imposed on covered entities, business associates and subcontractors.
The rule effectively merges four separate rule makings, which are as follows:
• Amendments to HIPAA Privacy and Security rules requirements;
• HIPAA and HIPAA HITECH under one rule now;
• Further requirements for data breach notifications and penalty enforcements;
• Approving the regulations in regards to the HITECH Act’s breach notification rule;
The Omnibus Rule includes regulations that will
• Manage the use of patient information in marketing;
• Includes a provision that requires healthcare providers to report data breaches that are deemed not harmful;
• Makes certain that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA.
• The rule requires HIPAA privacy and security requirements to be employed by business associates and sub-contractors.
The compliance deadline for virtually every provision of these rules is September 23, 2013.
HHS has eliminated the harm threshold that requires the entity to provide a notice of a security breach should the breach pose a significant risk of harm to affected individuals and that the breach was over 500 individuals. It has implemented instead that any use or disclosure of protected health information (PHI) that is not permitted by the Privacy Rule will be presumed to be a reportable breach. Covered entities and business associates can prevent this deduction by conducting a risk analysis using the four factors that HHS published in the rule, but HHS has made clear that its expectation is that impermissible uses and disclosures of PHI will likely be a reportable breach. This change will mean an increase in the number of breaches reported.
Some of the Privacy Rule and all of the Security Rule now apply directly to business associates and their subcontractors. Business associate agreements are likely to require an update and, in light of breach requirements and increasing compliance reviews, covered entities should improve their process to review business associate compliance and consider appropriate liability protections in their business associate agreements. HHS has provided a new Business Associate for Entities use.
Enforcement and Penalties
HHS has retained its penalty schedule that is currently in effect, meaning that penalties can range from $100 to $50,000 per violation depending on an entities due diligence and level of willful neglect. These fines can be up to an annual maximum cap of $1.5 million per violation. Business associates and subcontractors are directly liable for their violations, but covered entities also can be penalized for their violations. A covered entity can get blame for a Business Associate if it has not acquired the necessary assurances that the BA is complying with the HIPAA act. HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.
The final rules addresses multiple privacy issues related to uses and disclosures of PHI, such as:
• Communications for marketing or fundraising,
• Exchanging PHI for payment,
• Disclosures of PHI to persons involved in a patient’s care or payment for care
• Disclosures of student immunization records.
Individuals now have new rights to restrict certain disclosures of PHI to health plans and to request access to electronic PHI (ePHI).
All of these changes will require you to update or modify:
• Notices of privacy practices
• Research authorizations
• Internal policies
• And Training programs may require updates to address the rule modifications.
Business associates and subcontractors must comply with the Security Rule in full. Given the daunting nature of achieving Security Rule compliance, business associates and subcontractors should begin efforts now to meet the September 23 compliance deadline.
To implement the Genetic Information Nondiscrimination Act (GINA), HHS has included “genetic information” as a type of health information subject to HIPAA rules, and has imposed restrictions that will prohibit health plans from using genetic information for underwriting purposes and from employers using to in the hiring and promotion process.
It is obvious that this new rule will require the health care industry to educate patients with regards to their privacy and disclosure rights. Patients will need to know how their information is used and disclosed, and how to submit complaints pertaining privacy violations. This will rule will require Health Care providers to update their Business Associate Agreements, attain assurances form Business Associates that they are complying with the HIPAA Security Rule and that they have updated their Notice of Privacy Practices. The entities should also try to better understand HIPAA requirements so that they are aware of their risks and responsibilities towards their patients.