Introducing the HIPAA Omnibus Rule

New standards have been added to HIPAA regulations through the Omnibus Rule. These new additions address holes in the ability to access PHI (Protected Health Information) by those that are non-privy to such data. These standards ensure that "Covered Entities" follow these rules or deal with significantly harsher penalties.Covered Entities, Business Associates and their subcontractors are more liable for compliance lapses under the Omnibus Rule. Enacted on September 23, 2013,the Omnibus Rule has led to a dramatic increase in the cost and complexity for the maintenance of healthcare documentation, requiring even more precise auditing of systems and policies.

There are a variety of points that make up the new HIPAA Omnibus Rule, which include additional HITECH Act enhancements. During a breach of PHI the Covered Entity must notify eachindividual party whose information was breached, the Dept. of Health and Human Services, and media sources. The definition of a secure system is not simply having access or login protection. It requires the data to be thoroughly encrypted when breached, or automatically destroyed before it is accessed. In addition, the Omnibus Rule expanded the scope of what constitutes a breach to even limited sets of data that might contain certain fields.

The Omnibus Rule is an update to the Interim Final Rule published in August 2009 and involves the discarding of a 'harm threshold'. This threshold analyzed the risk of a potential breach's impact in determining the potential recourse for a Covered Entity. However, the Omnibus Rule voided this threshold, but instead presumes a breach unless certain specific factors are taken into account. This includes who the unauthorized person is, whether the PHI was viewed, and how it was acquired.

Sanctions for not providing the required notice are severe, with some state law requirements even more severe than federal laws. Thus, potential breach and all follow-up protocols should include a full analysis of both state and federal regulations.

The Omnibus Act also expands the definition of a Business Associate. Thus, the new BAA (Business Associate Agreement) must specify the general arrangement of data being exchanged in addition toaddressing the repercussions of a potential breach in the transfer of information between Covered Entities and Business Associates. The NPP (Notice of Privacy Policies) has beenmodified to include provisions for distribution, sale, and notification of breach to patients including special provisions for psychotherapy notes.

Penalties for lack of compliance to these rules include $100 per violation and $25,000 if the violation is identical in one calendar year. Privacy breaches have a far greater consequence, including penalties up to $1.5 million.

With the HIPAA Omnibus Rule in effect, it is even more imperative that Covered Entities and Business Associates take active steps in ensuring that their systems are protected, with protocols and audit tools in place to prevent even a seemingly minor PHI breach from occurring. To comply with these changes, both Covered Entities and Business Associates must make updates to their privacy practices, as well as perform an audit of all their policies and procedures on a regular basis.

Read More