- As healthcare organizations continuously update their systems and implement the latest tools to improve patient care, it is important for providers to remain mindful of all HIPAA rules and regulations. Starting this week, HealthITSecurity.com will dive deep into different aspects of HIPAA, and explain how the legislation affects different players in the healthcare industry. We will break down the HIPAA Privacy Rule, the HIPAA Security Rule, and also explain any changes or adjustments that have recently taken place.
Be sure to check back in regularly to ensure that you remain up-to-date HIPAA and understand how it applies to your organization, employees, and your facility’s policies and procedures.
The Omnibus Rule
We start this new review by looking at the HIPAA Omnibus Rule, which was finalized in January 2013 and went into effect on March 26, 2013. The update improved patient privacy protections, gave individuals new rights to their health information, and also strengthened the government’s ability to enforce the law.
Four final rules combine to make up the final Omnibus Rule:
- Final modifications were made to the HIPAA Privacy, Security, and Enforcement Rules
- Changes were made to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
- Changes were made on Breach Notification for Unsecured Protected Health Information under the HITECH Act
- Final modifications were made to the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes
An important aspect of the Omnibus Rule was that there was a transition period – covered entities and their business associates had time to make necessary changes so that they could still fulfill their breach requirements under the HITECH Act.
…the provisions of section 13402(j) of the HITECH Act apply to breaches of unsecured protected health information discovered on or after September 23, 2009, the date of the publication of the interim final rule. Thus, during the 180 day period before compliance with this final rule is required, covered entities and business associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the interim final rule.
Key changes from the Omnibus Rule
Another important change that took place because of the Omnibus rule was that several aspects of health information were redefined. For example, the definition of “electronic storage material” was changed to “electronic media.” This was done to better accommodate any future changes and developments of digital storage technology.
“Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card,” the Rule states.
The definition of protected health information (PHI) also received a slight modification. Essentially, the Omnibus Rule states that the Privacy Rule does not trump “State or other laws that provide greater protection for such information, or the professional responsibilities of mental health or other providers.”
How HIPAA rules apply in certain territories were also clarified in the final Rule:
State refers to one of the following:
(1) For a health plan established or regulated by Federal law, State has the meaning set forth in the applicable section of the United States Code for such health plan.
(2) For all other purposes, State means any of the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands.
There were also key changes for the HIPAA rules in terms of how covered entities and their business associates interact. Many of the requirements to business associates were expanded. For example, the definition of a BA was extended to include subcontractors working with BAs and Health Information Organizations, e-prescribing gateway or any other entity that touches or transmits PHI. Moreover, these organizations are liable for PHI uses and disclosures and HIPAA Security Rule compliance.
Additionally, BAs must enter into business associate agreement with their subcontractors, while BAs – not covered entities – are also now responsible for responding to any noncompliant subcontractors. The chain of responsibility must be documented. Essentially, any organization that touches PHI needs to have a business associate agreement in place.
Better PHI protection
The Omnibus Rule was designed to further enhance the already existing HIPAA rules and regulations. As technology changes, and covered entities and their associated BAs implement new systems, the Omnibus Rule can now account for that. There are many aspects of the new Rule and HIPAA that covered entities need to thoroughly understand. Be sure to check in next week to read more about HIPAA rules, the Omnibus Rule, and how they affect your organization.