GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Similar documents
Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Highlights of the Omnibus HIPAA/HITECH Final Rule

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

To: Our Clients and Friends January 25, 2013

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Management Alert Final HIPAA Regulations Issued

MEMORANDUM. Kirk J. Nahra, or

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Getting a Grip on HIPAA

Compliance Steps for the Final HIPAA Rule

HHS, Office for Civil Rights. IAPP October 11, 2012

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Changes to HIPAA Under the Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Omnibus Final Rule and Research

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

AFTER THE OMNIBUS RULE

Health Law Diagnosis

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

The HIPAA Omnibus Rule

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

ACC Compliance and Ethics Committee Presentation February 19, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Compliance Steps for the Final HIPAA Rule

Changes to HIPAA Privacy and Security Rules

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA OMNIBUS FINAL RULE

New HIPAA-HITECH Proposed Regulations Issued

HEALTH LAW ALERT January 21, 2013

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

Fifth National HIPAA Summit West

HIPAA Omnibus Rule Compliance

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Highlights of the Final Omnibus HIPAA Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

New HIPAA Rules and Implications for the Industry January 29, 2013

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

H E A L T H C A R E L A W U P D A T E

HIPAA & The Medical Practice

BREACH NOTIFICATION POLICY

HIPAA Final Omnibus Rule Playbook

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

VOL. 0, NO. 0 JANUARY 23, 2013

ALERT. November 20, 2009

"HIPAA RULES AND COMPLIANCE"

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

ARRA s Amendments to HIPAA Privacy & Security Rules

What is HIPAA? (1 of 2)

Omnibus HIPAA Rule: Impact on Covered Entities

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

HIPAA Omnibus Rule. Employer Alert

HIPAA Privacy Overview

OMNIBUS RULE ARRIVES

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA The Health Insurance Portability and Accountability Act of 1996

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Business Associate Agreement

Determining Whether You Are a Business Associate

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

1.) The Privacy Rule (Part 164, Subpart E)

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

Interim Date: July 21, 2015 Revised: July 1, 2015

Effective Date: 4/3/17

Omnibus Rule: HIPAA 2.0 for Law Firms

Interpreters Associates Inc. Division of Intérpretes Brasil

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

Welcome to today s Webinar

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

The Audits are coming!

Transcription:

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned by Thompson Publishing. Republished by permission. i

Guide to the HIPAA Omnibus Rule: What You Need to Know and Do By D'Arcy Guerin Gue, with Steven J. Fox* Almost 12 years to the month since the Department of Health and Human Services issued the first HIPAA privacy and security rules, a much-expanded "omnibus" rule was released on Jan. 17, 2013. HHS coined the term "omnibus" to indicate that the new rule includes four component rules: Final provisions that expand the HIPAA privacy, security and enforcement rules, as mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. HITECH was a major element of the American Recovery and Reinvestment Act of 2009 (ARRA), commonly known as the economic stimulus package. The final rule on Breach Notification for Unsecured Protected Health Information, which changes significant elements of a 2009 interim rule. The final HIPAA enforcement rule, which expands HHS' enforcement powers, again, as mandated by the HITECH Act. The final rule modifying the HIPAA privacy rule, as mandated by the Genetic Information Nondiscrimination Act (GINA) of 2008. The omnibus rule went into effect on March 26, 2013. Overview The omnibus rule, published in the Jan. 25 Federal Register, presented extensive revisions in HIPAA privacy and security requirements (78 Fed. Reg. 5566). While many of the changes are technical details, many others are major and far-reaching. The text of the lengthy document is necessarily complex, given its regulatory intentions, but it is possible to identify at least three broad themes embodied in the new rule: HHS gives patients and their rights central priority, within its long-term vision of an integrated health care environment where HITECH's "meaningful use" of electronic health records will be fully realized. Several provisions of the new rule focus on enhancing security of "protected health information" (PHI), increasing patient privacy, and expanding patients' access to, and control of, their personal health records. On the other hand, the obligations of covered entities under HIPAA have expanded. In a dramatic turnabout, business associates are now subject to most of these obligations, including paying penalties. The rule also mandates greater restrictions on uses and disclosures of PHI, business associate agreements, and breach assessment and notification. HHS has assumed greater reach in enforcement powers and overall authority. It has reduced the level of regulated entities' discretion in identifying breaches and has amplified breach notification requirements. HHS' authority now extends to business associates, making them directly liable for HIPAA compliance. HHS' authority also reaches any subcontractors that touch or store PHI. Finally, genetic information has now been added to the PHI data mix. *Ms. Gue and Mr. Fox are the original authors of Thompson's Guide to Medical Privacy & HIPAA. 1 3

New Liability of Business Associates and Subcontractors Adds Extensive Obligations The omnibus rule expanded the HIPAA obligations of business associates, making them directly responsible for adhering to most privacy and security provisions. As with covered entities, business associates are now subject to the same penalties for noncompliance. HHS has amended the security rule to require business associates, like covered entities, to conduct a risk analysis, implement a security plan, and appoint a Security Officer. In a giant step, the rule defines "business associates" far more broadly than in the past, and includes any entities that create, receive, maintain or transmit PHI on behalf of a covered entity. "Maintain" is a new criterion, and will likely include a new group of vendors, such as document storage organizations. HHS has created a new business associate chain: subcontractors of business associates are now responsible for PHI protection and are defined as business associates if they create, receive, maintain or transmit PHI. Further, their subcontractors are pulled into the chain if they meet the same criteria. All have the same compliance obligations under HIPAA that business associates have. Just as covered entities are held responsible for breaches or violations of their business associates, so, now, "first level" or primary business associates are held responsible for the compliance of their subcontractors. Every connected contractor and subcontractor is now directly liable to HHS for breaches. It should be noted that vendors that transmit PHI on behalf of covered entities are not considered to be business associates if they are simply "conduits" that do not routinely access PHI. Internet service providers are likely to be such conduits. Fortunately for covered entities, they do not have to enter into a business associate agreement (BAA) with business associates' subcontractors. But, BAAs are still required between covered entities and their business associates, even though the latter now are held directly accountable for HIPAA compliance. These "primary" business associates also must develop BAAs with all their relevant subcontractors, and covered entities must require their business associates to do so. Note that if an entity meets the definition of a business associate, the entity is liable for HIPAA violations, even if it has not entered into a business associate agreement. Patients' Rights Are Expanded, Creating New Responsibilities for Regulated Entities One focus of the omnibus rule was to support patients' participation in the health care environment. The rule increases patients' access to their health records, and provides them greater latitude in restricting disclosures and uses of PHI. Initially, this creates some additional burdens on covered entities and business associates. Patient Requests If an individual asks a covered entity for an electronic copy of his or her PHI, the omnibus rule requires covered entities to provide it - assuming the information is maintained in an electronic record. The individual also may have a copy of the PHI sent electronically to another person he or she designates. The preamble to the omnibus rule suggests that covered entities must invest in electronic information technology so that they can meet this requirement, echoing HITECH's mandate for meaningful use of electronic health records. 2

The rule also parallels HITECH in requiring health care providers to meet patient requests to not disclose to a health plan (or a health plan's business associate) any PHI that is related to items or services for which the patient has fully paid out of pocket. Providers don't have to create separate medical records, as long as they prevent the disclosure. Many electronic systems may not have the ability to single out areas of a record and restrict access to specific individuals. Organizations may have to work with their vendors to complete necessary systems and procedural changes to comply with access restriction requests. Marketing and Sale of PHI The original privacy rule required patient authorization to use or disclose PHI for marketing purposes, but made an exception for such uses and disclosures when they were part of "health care operations." The omnibus rule is more restrictive, requiring individual authorizations for any treatment communications if the covered entity (or a business associate) receives financial remuneration for the subject product or service. The rule includes both direct and indirect remuneration (a payment channeled through a third party). HHS makes an exception for refill reminders or communications about current prescriptions, if the third party subsidy is reasonable. The omnibus rule has adopted HITECH's prohibition of the sale of PHI - defined as the exchange of anything of value (remuneration) for PHI. There are limited exceptions, including disclosure for public health purposes, research purposes, and treatment and payment purposes. Our Recommendations: First Steps to Take Toward Compliance If they haven t already done so, we recommend that affected parties undertake these planning initiatives and follow through on implementation: Gap analysis. Covered entities and business associates should complete a thorough gap analysis to determine which policies, procedures, and documentation (such as notices of privacy practices and subsidized marketing agreements) must be updated in accordance with the omnibus rule. From the gap analysis, the organization will be able to determine the scope of necessary changes, and plan accordingly. Implementation plan. Business associates and their subcontractors should initiate plans for implementing a HIPAA compliance program, if they have not done so. This work should begin with a vetting process by business associates, probably with the assistance of the related covered entity, to determine which contractors and subcontractors are applicable. Then, a plan should be created for performing or redoing related risk analyses, creating a timeline for developing and executing security plans, and setting a timeline for development and implementation of new business associate agreements. Business associate agreements. Covered entities should develop a plan to revise all existing BAAs. Forms. Covered entities should plan to create or revise all forms that apply to provisions in the rule. These include, but are not limited to: requests for PHI access; requests to limit PHI release; and authorization forms addressing marketing, research, sale of PHI, and fundraising communications. Workforce training. All regulated entities should consider timing and execution of applicable workforce training programs. 3 1

Fundraising In the past, use of clinical information in fundraising communications by not-for-profit organizations was prohibited; covered entities were limited to using demographic and certain insurance data. Acknowledging that use of more substantive data could enhance the value of fundraising efforts, HHS expanded the information that organizations may use to include certain PHI. This information is limited to disclosures of the department that served the patient, his or her physician's identity, and general information about treatment outcomes. The fundraising value of these new permissions is significant: individuals can be targeted because of their experience in specific clinical situations or departments, and fundraising appeals can be sent in the name of a former patient's physician. The rule emphasizes that covered entities must provide patients with a "clear and conspicuous" notice of their right to opt out of future fundraising communications, and offer a reasonably convenient way to do so. Fundraising entities are required to honor individuals' opt out requests, though they may provide a method to opt back in to the communications. Research In the past, HIPAA required separate individual authorizations to use PHI for research projects, depending on whether the authorization was "conditioned" or "unconditioned." In response to researchers' concerns about prohibitive paperwork, the omnibus rule now permits them to combine conditioned and unconditioned authorizations into one form. The document must clearly offer individuals the option to opt in to the unconditioned authorization, and researchers must abide by their decisions. PHI of Decedents The omnibus rule focuses on the PHI of deceased individuals in two areas, in order to address practical concerns of both covered entities and relatives of decedents. The original privacy rule allowed covered entities to disclose information about a decedent only to a personal representative. The omnibus rule expanded such disclosures to family members and others who were involved in the care or payment for care of the decedent before death, and who likely had access to the individual's PHI during that time. However, if the covered entity knows of any conflicting, expressed wishes of the decedent, such disclosures are not allowed. Previously, covered entities were required to protect deceased individuals' PHI indefinitely. HHS has acknowledged that locating a personal representative to authorize use or disclosure of a decedent's PHI can become impractical over time. The new rule limits the period PHI must be protected to 50 years after the individual's death, suggesting that this is sufficient to protect the privacy interests of most living relatives. Immunization Records In support of public health concerns, the omnibus rule makes it easier for schools to receive proof of students' immunizations. Covered entities now may disclose immunization records of students or prospective students to schools, if required by law. However, they must obtain and document the parent or guardian's agreement, which may be received either orally or in writing. Genetic Information HHS expanded HIPAA's reach relative to protected data to now include genetic information within the definition of PHI. This change reflects requirements under the Genetic Information 4

Nondiscrimination Act of 2008 (GINA). As in GINA, the omnibus rule provides that health plans may not use or disclose genetic information for underwriting purposes. In addition, health plans' notices of privacy practices must now specifically reference this prohibition. New Breach Provisions Likely to Increase Breach Notifications In a move seemingly designed to increase the number of breach notifications, HHS eliminated the risk of harm standard in the final omnibus rule, modified the definition of "breach" and altered the risk assessment analysis that entities must perform for each potential breach. Previously, an entity had to determine whether a breach posed a significant risk of financial, reputational or other harm to an individual. Admittedly, this permitted subjective analysis by the covered entity; however, HHS does not provide any evidence in support of its claim that "some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set." To lower that threshold, HHS changed the definition of "breach" so that any impermissible use or disclosure of PHI is now presumed to be a breach, unless the covered entity or business associate demonstrates low probability that the PHI has been compromised. HHS acknowledges that there remain several situations in which the unauthorized acquisition, access, use or disclosure of PHI is so inconsequential that it does not amount to a breach or warrant notification. The comments even give an example of a misdirected fax containing PHI, where the recipient physician immediately calls to say he has destroyed it, and notes that even though this situation does not fit into any of the statutory or regulatory exceptions, the covered entity "may be able to demonstrate after performing a risk assessment that there is a low risk that the protected health information has been compromised." The new risk assessment, instead of looking at the risk of harm to the individual, focuses on the probability that PHI has been compromised based on a consideration of at least the following four factors (plus additional unspecified factors as deemed appropriate by the covered entity): the nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated. HHS believes that this type of assessment will result in a more objective evaluation of the risk to the PHI and a more uniform application of the rule. One final note: HHS also removed the exception for limited data sets that do not contain any dates of birth and ZIP codes. So if there is an impermissible use or disclosure of such a limited data set, even one without birth dates and ZIP codes, a risk assessment that evaluates the factors discussed above must still be performed to determine if breach notification is required. Finally, HHS notes that covered entities and business associates are encouraged to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other PHI, pursuant to the 2009 Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If PHI is thus encrypted, then no breach notification is required following an impermissible use or disclosure of PHI. Clearly, that is the safest route to take. 5 3

Notice of Privacy Practices As a result of various changes in the rule, covered entities must update and redistribute their notices of privacy practices (NPP). Notices should reflect the rule's provisions concerning: certain individual rights regarding uses and disclosures that require authorization, such as marketing, sale of PHI, fundraising and research; for providers only, the individual's right to restrict disclosures to health plans, when he or she has paid out of pocket for an item or service; an affected individual's right to be notified of a breach of PHI; other uses and disclosures not described in the NPP that require authorization; and for health plans only, the prohibition against considering genetic information in underwriting. New Breach Notification Process Is More Objective and Very Stringent Until now, the guiding HIPAA standard for determining if an improper use or disclosure of PHI qualified as a breach was whether there was significant risk of harm to an individual. Covered entities, after appropriate assessment, were allowed to make this determination. HHS has since rejected this level of discretion and eliminated it in the new rule. The rule now requires an assessment of whether the security incident compromises the privacy and security of PHI; the harm standard is no longer a factor (see detailed discussion, p. 5). HHS' HIPAA Enforcement Powers Hit Harder and Go Farther Many of HHS' enforcement powers as defined in the omnibus rule were already assembled under the HITECH Act and the interim enforcement rule of 2009. Broadly speaking, HHS expanded its ability to enforce HIPAA to a longer chain of regulated entities, defined stricter enforcement criteria, and increased penalties for violations. Business associates have come under the penalty umbrella, and like covered entities, are directly subject to financial penalties. If a subcontractor of a business associate meets HHS' definition of an agent and commits a violation, the business associate may be liable for penalties, depending on the latter's authority to manage the relationship. HHS makes it clear that it will investigate any complaint when a preliminary review, or an independent HHS inquiry, indicates a possible violation due to willful neglect. However, if there are not indications of willful neglect, HHS will rely on informal, voluntary actions to seek compliance. In determining the amount of civil money penalties, HHS now considers the following factors: the nature and extent of the violation, the nature and extent of harm, the entity's history of prior compliance, and the financial condition of the entity. The rule formally adopts the HIPAA civil money penalty structure as increased by the HITECH Act, and sets the same categories for levels of violations. 6

Violation Category Each Violation All Identical Violations Per Calendar Year For violations occurring before 2/18/2009 For violations occurring on or after 2/18/2009 For violations occurring before 2/18/2009 For violations occurring on or after 2/18/2009 Did Not Know Up to $100 $100 - $50,000 Reasonable Cause Up to $100 $1000 - $50,000 Willful Neglect - Corrected Up to $100 $10,000 - $50,000 $25,000 $1,500,000 Willful Neglect - Not Corrected Up to $100 $50,000 Authors D'Arcy Guerin Gue is vice president of industry relations for Phoenix Health Systems, a division of Medsphere Systems Corporation and a leading provider of health care information technology outsourcing, consulting and project management. She has written on many health care IT issues over her 25 year career, with a special emphasis on HIPAA information privacy and security, Meaningful Use, ICD-10 and other industry initiatives. Steven J. Fox, Esq., is a principal with Post & Schell, PC, a national law firm serving clients throughout the United States, where he is chair of the Information Technology Group and co-chair of the Data Protection Group. An acknowledged authority on health IT, Mr. Fox assists clients with legal issues and strategic counseling involving technology, licensing of health care information systems, data privacy matters and health care regulatory compliance. Copyright 2013 by Thompson Information Services. All rights reserved. Photocopying without the publisher's consent is strictly prohibited. Consent needs to be granted to reproduce individual items for personal or internal use by the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923. 7 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback