Tips for becoming compliant with the HIPAA Omnibus Rule
Are you palms sweaty? Is your heart racing? It may be because you’re scrambling to ensure compliance and avoid penalties from the Final Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule, which has a past-due compliance deadline of Sept. 23. The HIPAA Omnibus Rule makes business associates accountable for any misuse or failure to safeguard protected health information (PHI) and increases liability for noncompliance.
Once records leave your hands, they should be handled with the same level of security as they are when they are with you. This is the essence of the Omnibus Rule. Designed to keep business associates and their subcontractors accountable, the Omnibus Rule creates a new breach standard, clarifies the definition of “business associate,” and implements a new penalty structure mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Non-compliance comes with many risks. According to the Department of Health and Human Services (HHS), 20 percent of HIPAA breaches affect more than 12 million patients. The Omnibus Rule ensures that anyone who has access to your patient information will be held to the same standards as you, including your business associates and their subcontractors.
Clarifying the Changes
It is important to understand the major changes presented by the Omnibus Rule to properly prepare. This includes the following:
- Strict HIPAA enforcement rules. The Omnibus Rule incorporates the changes to the HIPAA enforcement rules under the HITECH Act. Under these rules, there are multiple categories of violations and a tiered penalty structure with increasing penalty amounts tied to increased levels of culpability. There is a maximum penalty of $1.5 million for all violations of an identical provision within a given year. Covered entities and business associates can expect to see increased enforcement.
- Definition of “business associate” and “business associate agreement” requirements. The revised definition of “business associate” now includes a business associate’s subcontractors that create, receive, maintain, or transmit protected health information (PHI). The Omnibus Rule also modifies the content requirements of business associate agreements. As a result, covered entities and business associates will need to revise existing business associate agreements. HHS has posted a sample version of a revised business associate agreement on its website. Nevertheless, covered entities and business associates will likely want to incorporate additional protections in their agreements.
- Breach notification rules. The Omnibus Rule eliminates the “substantial risk of harm” standard under the breach notification rules. As a result, any impermissible use or disclosure of PHI is presumed to be a breach requiring notification, unless the covered entity or business associates (as applicable) demonstrates through a risk assessment that there is a low probability that PHI has been compromised. As modified, the breach notification rules require consideration of objective factors when conducting these risk assessments. Breach notification policies and procedures will need to be revised in response to these changes.
- PHI modifications. The Omnibus Rule prevents businesses from selling PHI without an authorization by the individual. The use of PHI for fundraising or marketing generally is also prohibited without the permission of the individual. The Omnibus Rule also expands the patient’s right to receive electronic records in an electronic form and format requested by the patient. In addition, patients can request that a provider not release any information if they self-pay for the visit. As a result of these changes, covered entities will need to revise their Notice of Privacy Practices accordingly.
Conduct a Risk Analysis
As of January 2013, HHS received over 274 reported breach incidents due to theft, the top breach cause, accounting for 52 percent of incidents. That statistic should reinforce the significance of conducting a thorough risk analysis. The following steps should be included in a risk assessment:
- Consider implementing new policies and procedures. Review your existing security of protected health information. For example, confirm how your information is being transported from the warehouse to you. Is it secure in the truck? Your business associates must have systems in place to protect PHI.
- Prevent a breach from happening. Identify any threats and vulnerabilities in your system. For instance, review user access controls and make sure they are properly configured. Also, make sure all HIPAA training is up-to-date with the new rule.
- Contain information. Set up safeguards to identify who accesses a patient’s records. Monitor who is going into a patient’s records and determine if they really need to have access to that information.
- Correct violations. Establish policies that make individuals accountable. It is also important to mitigate your security risk, for instance, in the event a portable device is stolen. IT should implement security controls to prevent someone from accessing patient information on a stolen device.
Just as protecting the privacy and security of health information is a continuous process, you should also review your risk assessment periodically and make sure you have addressed responses to potential breaches in PHI. If you see any holes in your system, put new measures in place to help prevent a breach and remain compliant.
James W. Thweatt III is a partner at Keating Muething & Klekamp PLL. For more information, please visit www.kmklaw.com.
Sarah H. Koucky is Senior Director of Security and Compliance for Cintas Document Management. For more information, please visit www.cintas.com.
This document is not intended as legal counsel, but as a description of the law. Please consult your attorney for specific terms, requirements, penalties, or legally-recognized methods of compliance with any federal, state or local law.