Eileen Elliott’s Six Tips for Healthcare Providers About the New HIPAA Omnibus Rule appeared on HealthITSecurity.com on June 18, 2013 and on 24x7Mag.com on July 1, 2013.
SRH Law partner Eileen Elliott will be presenting at the Vermont Mental Health & the Law 2013 Seminar, taking place on June 21 at the Burlington Sheraton.
Earlier this year, the U.S. Department of Health and Human Services adopted tough standards to strengthen the privacy and security protections for health information under the Health Insurance Portability and Accountability Act (HIPAA) with the final Omnibus Rule. These modifications enhance patients’ protection of the privacy of their health records and provide them with new rights to their health information, while also supporting the government’s ability to enforce the law.
For healthcare providers, psychologists, social workers and other health professionals and entities, understanding and adhering to these changes is essential, but can oftentimes be confusing and tedious to keep up with. Eileen focuses on health care law and offers the following six tips to help healthcare providers navigate the new HIPAA rule.
1. Be familiar with the 2009 HITECH Act.
Most of the changes in the Omnibus Rule are not entirely new, and already exist under various proposed and interim rules under HIPAA and the HITECH Act. By understanding HITECH’s obligations regarding breach notification, the new rule will be less daunting.
The other interim or proposed rules folded into the Omnibus Rule include the HIPAA Privacy, Security and Enforcement Rules; rules incorporating the increased and tiered civil money structure; Breach Notification for Unsecured Protected Health Information; and the rule modifying the Genetic Information Nondiscrimination Act.
2. Go over the enhanced breached notification requirements.
Strengthened breach reporting is one of the major effects of the Omnibus Rule. While the prior rule stated that breaches were not reported unless they posed a “significant risk of reputational, financial or other harm” to individuals, the determination is now based on the risk that public health information (PHI) has been “compromised.” A risk analysis is now required to determine the probability that PHI has been compromised.
3. Understand the increased business associate liability.
Business associates, or entities that create, receive, maintain or transmit PHI, have new requirements that increase their liability and can now be directly liable for HIPAA noncompliance. The updated requirements include contracting ramifications, Security Rule Compliance, use and disclosure requirements of the Privacy Rule, providing copies of ePHI, maintaining accounting of disclosures and providing Health and Human Services (HHS) with PHI during review or audit.
4. Recognize Health and Human Services’ enhanced fining authority.
HHS may now fine any Covered Entity, Business Associate or responsible party for a violation and retains the authority to charge multiple violations related to a single event, such as a breach. Monetary penalties will be tallied on a per person and per day basis. It is important to recall that the maximum annual cap of $1.5 million is applied on a “per provision” basis. It is not an overall limitation on liability but can be multiplied several times over depending on the number of provisions violated.
5. Note the extension of GINA requirements.
All plans that are subject to HIPAA are now also subject to the Genetic Information Nondiscrimination Act (GINA). Revisit the definition of genetic information under the act to determine what is classified as this type of material as it is now forbidden to be used for underwriting.
6. Mark your calendar.
The Omnibus Rule became effective on March 26, 2013 and the compliance deadline is September 23 of this year. There is a deferred compliance date provided in special cases for existing business associate agreements that comply with HITECH, but at the latest all contracts must be compliant by September 22, 2014.
The full final rule can be read in Federal Register, which can be accessed here.
