On January 17th, 2013, the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA) rules were overhauled with the express goal of improving patient privacy and protecting patient data. These new rules took effect as of March 26, 2013. The change to the laws made regulations for second and third-party businesses and associates more stringent. The overall update to the HIPAA rules is known as the HIPAA Omnibus Rule. This rule covers some fundamental modifications to HIPAA regulations. From the HHS.gov press release regarding the new rule:
The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
In summary, the rule does the following:
– Adds liability for Business Associates of Covered Entities and makes them responsible for abiding by the Security and Privacy rules
– Strengthens the limitations of the disclosure and use of protected health information (PHI) {specifically for marketing or fundraising purposes} and prohibits the sale of PHI without authorization from the individual.
– Adds to the rights of an individual to electronic copies of their information and also to keep healthcare that they’ve received and paid for privately separate from any health plan.
– Adds a requirement for modifications and redistribution of a Covered Entity’s notice of privacy practices and adherence to HIPAA.
– Adds amendments to the requirement for individual authorization for research and disclosure of proof of immunization to schools.
– Officially adopts the Health Information Technology for Economical and Clinical Health (HITECH) Act changes to the Enforcement Rule {those that were not previously adhered to after the October 30, 2009 interim final rule}.
– More changes to the Enforcement Rule incorporating tiered financial penalty structure.
– Adjustments to the Breach Rule’s ‘harm’ measurements to make gauging violations more objective.
– Adds a nondiscrimination clause to the Privacy Rule {as required by the Genetic Information Nondiscrimination Act} prohibiting health plans from using genetic information for underwriting purposes.
HIPAA Omnibus Rules can invoke penalties for violation of the HITECH Act. Based on the penalty structure of the HITECH Act, violations will incur a financial penalty increasing with the level of culpability and responsibility for the violation. The maximum penalty for such a violation is $1.5 million per year.
The new rule changes the definition of Business Associates (BAs) and must include:
– Health information organization, electronic prescription gateways, or companies that transmit data for a covered entity and frequently require access to PHI.
– An entity that provides a health record on behalf of a covered entity.
– Subcontractors of covered entities assuming these subcontractors access PHI.
– Any individual person who accesses, creates, or transmits PHI on behalf of the covered entity.
In addition, Business Associate Agreements (BAAs) require new provisions. Now, Business Associates must comply with the Security Rule when applicable; they must report breaches of PHI to covered entities; they must manage their subcontractors that interact with PHI and assure that they agree to the restrictions that apply.
Furthermore, BAs must now carry out the obligations of the covered entity under the Privacy Rule and abide by the same regulations. BAs are also required to enter into compliant BAAs with subcontractors the same way that covered entities must enter such agreements with their BAs.
To continue maintaining HIPAA Compliance under the Omnibus Rule, ensure that all associated business documentation is updated, policies/procedures remain up-to-date, and be vigilant to ensure that your BAs and associated subcontractors also abide by the new rules.