According to The American Academy of Family Physicians, the US Department of Health and Human Services (HHS) released a final rule altering security and privacy requirements relating to Patient Health Information (PHI), as defined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The Omnibus Rule became effective on March 26, 2013. Physicians and other specified organizations must be compliant by September 23, 2013.
Under HIPAA and the HITECH Act, a new breach standard clarifies the definition of business associates and implements the increased liability mandated by the HITECH Act. There are some grandfathered business associate agreements. However, covered entities and business associates must be fully compliant with the Omnibus Rule by the September 23, 2013 deadline. These four steps will help you meet these new regulatory requirements in time for this rapidly approaching deadline.
Internal Policy Updates – You may want to either replace or update your existing policies. HHS can help you assess compliance of a covered entity. The audit protocol provides a helpful guide to determining HIPAA compliance. Whenever existing policies generally meet audit protocol, it makes sense to update rather than replacing existing forms. Key changes to your internal privacy policies that must be made are outlined below.
- Decedents’ PHI - Protected health information now includes the health information of individuals who have died up to 50 years ago. The Omnibus Rule provides for the disclosure of PHI of deceased individuals to family members provided that they have not been excluded by that person.
- Breach standard - The Omnibus Rule changes the standard for determining whether a breach of unsecured PHI has occurred and thus whether a provider must follow the notification requirements under HIPAA. The new breach standard should be included in your internal policies and applies to potential breaches occurring prior to September 23, 2013 as well as those that follow.
- Marketing and sale of PHI – In most cases PHI marketing is prohibited. In cases where patient authorization has been provided prohibitions do not apply. Whenever providers wish to market outside services to patients based on their PHI, or even to provide access to PHI for payment, the provider must obtain valid authorization from the patient. Provider policies must reflect these definitions.
- Disclosures to schools - Disclosure of proof of immunizations to schools is permitted under the Omnibus Rule.
- Patient rights to limit disclosures – A patient has the right to restrict PHI regarding a specific health care service so that it is not disclosed to a health plan.
- Electronic copies of medical records - PHI requests by patients in electronic format must be provided if they are readily producible.
2. Notice of Privacy Practices
The Omnibus Rule extends the scope of the notice of privacy practices (NPP). Once you have updated your NPP, you must make your new privacy practices available to existing patients and post your revised notice on your website and on the practice premises in a public place. Whenever you modify your NPP, new patients must receive a copy of the revision. A copy of NPPs should be maintained together with associated patient acknowledgements.
3. Business Associate Agreements
Your business associate agreement (BAA) forms must be updated to meet the Omnibus Rule requirements. Updates and new BAAs may be submitted by September 23, 2013. However, new BAAs entered after January 25, 2013 and those modified after March 26, 2013 do not require updating until September 23, 2014. It’s advisable to conduct an inventory of all current BAAs. To meet Omnibus Rule requirements, each BAAs must have an amendment or be replaced by a new BAA. Because the definition of business associate has been expanded, the BAA may require multiple revisions. One major change is that business associates that contract with subcontractors must enter into a BAA.
4. Staff Training.
As a provider, your policies must be updated and implemented. Staff members must be trained on any new policies as well as revisions of existing policies. Management and technical staff should familiarize themselves with the new breach standard in order to effectively and correctly complete the required analysis. Training is essential to ensure compliance HIPAA and the HITECH Act. Documentation of training programs and training histories will be helpful during audits and investigations.
Time is of the essence. The Omnibus Rule has resulted in many HIPAA changes. We at M-Scribe Technologies can help you meet your Omnibus Rule obligations. Visit our site or call us today for expert assistance.
Image courtesy of my2ndheartbeat.wordpress.com