The Omnibus Rule: Are You Ready?
Kegler Brown Health Care News August 28, 2013
Earlier this year, the U.S. Department of Health and Human Services rolled out the Omnibus Rule. Health care providers and their business associates have until September 23rd of this year to comply with the rule (for existing business associate agreements, changes must be made by September 22nd of next year). The big question is: are you prepared for the Omnibus Rule?
The Omnibus Rule is the final rule that implements a number of provisions to the Health Information Technology for Economic and Clinical Health (HITECH) Act. It provides for significant changes to the security and privacy rules under HIPAA, and for large penalties for non-compliance (up to $1.5 million for a second offense in the same calendar year).
The scope of the rule is broad and includes, but is not limited to, the following: a revised standard for breach notification; patient access to electronic information; limitations on use/disclosure of protected health information (PHI) for marketing without a patient’s authorization; revisions to notices of privacy practices; restrictions on the sale of PHI; requirements for protecting and transmitting electronic health information; regulation of fees charged for access; and the use of data for research. All covered entities will be impacted by the Omnibus Rule. Covered entities include health plans, health care clearinghouses and health care providers who transmit any information in electronic form.
It is anticipated with the new rule that the Health and Human Services Office of Civil Rights will increase its enforcement efforts to ensure compliance with the privacy and security rules. The breach standard has become more stringent and penalties are steep under the new rule. Under the new standard for breach notifications, a health care provider is required to prove no harm was done versus the previous standard, which presumed there was no harm to a patient when a breach occurred.
All covered entities must have a HIPAA compliance program in place. Compliance programs should include all of the following:
- Written policies and procedures to protect both the security and privacy of PHI. HIPAA is very specific on the administrative requirements.
- Business associate agreements in place with each subcontractor who creates, maintains, transmits or retains PHI.
- Training of your workforce regarding handling PHI.
- A Notice of Privacy Practices (updated, as required by the Omnibus Rule).
- Disclosures of PHI limited to those instances permitted by HIPAA. All authorizations for release of information must comply with HIPAA.
Even if you already have a compliance program in place, understanding the changes in the Omnibus Rule is crucial because these changes are broad and certain procedures need to be revised. For example, a patient can request that PHI not be disclosed to his/her health plan if the health care item or service has been paid in full by someone other than the health plan. Covered entities must develop a method to keep this information from being inadvertently sent to a health plan, such as during an audit.
The goal of a compliance program is to keep PHI both private and secure as required by HIPAA and HITECH. However, if you do experience a breach, the last thing you want is to find yourself investigated by the Office of Civil Rights without a program in place and therefore exposed to higher penalties. Prepare your company for the new provisions now, so if HIPAA authorities come knocking on your door, you’ll be ready.