HIPAA Omnibus Rule: What has changed and what needs to be done

March 25th, 2013 marked the beginning of the 180 day transitioning period in which covered entities, business associates and subcontractors will start to modify and update their policies, agreements, procedures, practices and forms to fulfill the compliance requirements of the Omnibus Rule which has a deadline of September 23, 2013.

In the transitioning period, covered entities and business associates should be preparing and executing modified business associate and data use agreements. They should train their staff regarding the changes in the previous rules and educate them on their responsibilities to comply with the requirements of protected health information and breach notifications. With the new changes taking place, it is extremely important for stakeholders to know if they fall within the scope of HIPAA and HITECH regulations.


Covered Entities & Business Associates: Which one are you?
Under the HIPAA Privacy Rule, a Covered Entity includes three different groups which include healthcare providers, health plans and healthcare clearinghouses. The healthcare providers group includes all entities transmitting electronic health information including, doctors, clinics, psychologists, dentists, chiropractors, pharmacies and nursing homes. The second group includes Health Maintenance Organizations, Medicare & Medicaid and different Health Plans. The third group refers to organizations which process the healthcare information received from another organization and turn it into a standard format, including billing services, re-pricing companies, community health management information systems and value-added networks.

Business Associates include all organizations conducting business with covered entities involving the use and access of protected health information. Businesses dealing in Electronic Health Records, EMR software, data analysis, billing claims processing, and provision of services such as administrative, consulting and financial will fall under the category of business associates. All subcontractors of such business associates are also regarded as business associates if they are in any way required to view, use and analyze protected health information. If an entity is creating, receiving, accessing, maintaining or transmitting Personal Health Information, then they will become Business Associates. Entities that come across protected health information but only pass on the information without viewing or accessing it will not be regarded as Business Associates.

So what has changed and what needs to be done?
Previously, covered entities were responsible for reporting data breaches to the department of Health and Human Services (HHS). Covered entities were also required to contractually obligate their Business Associates to safeguard any Protected Health Information they handled. Business Associates were under no obligation to report data breaches to anyone else except the covered entities. With the new HIPAA Omnibus Rule, there have been a few important changes.

Business Associates are now required to directly report any Protected Health Information data breaches to the HHS. They are also required to abide by the same rules which apply to covered entities and to be held liable to the same penalties.

Regarding the changes brought with the Omnibus Rule, Leon Rodriguez, Director of Civil Rights at the HHS said, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The HIPAA Omnibus Rule contains modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification rules. With the implementation of this rule, HIPAA wants to make sure that every organization that accesses or uses health information comes under the same scrutiny which applies to covered entities and business associates.

By September 23, 2013, every liable stakeholder must recognize their status as a business associate and guarantee their compliance with the Omnibus Rule.

The adjustment in the HIPAA Rules will allow for increased control and protection of public’s health information. Individuals will be given increased rights over their personal medical information so that they will be able to take electronic copies of their Electronic Medical Records and they will be able to ask their providers to not share their treatment information with their health plan. The new rule also forbids organizations to share the patient’s information for marketing or selling purposes without permission. Patients will hence be empowered since they will have authority over the use of their health information.

Talking about the new rule, Secretary HHS, Kathleen Sebelius said, “Much has changed in health care since HIPAA was enacted over fifteen years ago. The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.” Get HIPAA Compliant EMR for your practice today.

6 Simple Steps to Improve Practice Revenues