While the HIPAA Omnibus Rule should not be categorized as sweeping reform legislation, it does impact a variety of HIPAA rules, including the following.
- HIPAA Privacy Rule;
- HIPAA Security Rule;
- HIPAA Breach Notification Rule and
- HIPAA Enforcement Rule.
Spanning over 500 pages, the Omnibus Rule is not easily summarized or understood by medical providers. Understandably, this complexity leads to misunderstandings.
The Omnibus Rule did involve sweeping changes to.penalties for each HIPAA violation. The new penalty system, while not nearly as complex as the Omnibus Rule, is still easily misunderstood because the Omnibus Rule can be so challenging to understand.
Omnibus Rule Penalties
Non-compliance monetary penalties are higher for any and all breaches of protected health information (PHI). These new penalties apply whether PHI breaches were intentional or accidental.
There is no true maximum fine per year, but breaches in PHI can realistically cost up to $1.5 million annually. These new penalties target "business associates" to healthcare providers. Repeat PHI breaches provide for theses $1.5 million penalties.
The Department of Health and Human Services (HHS) widened the previous definition of business associates in 2013, requiring they report PHI breaches directly to the HHS Office of Civil Rights and full compliance with all new HIPAA Privacy and Security Rules.
Even those organizations who are loosely or peripherally associated with a healthcare provider are now covered under the penalty system. With a late September 2013 compliance date, organizations falling under the business associate definition are bound by the new penalty system.
Avoiding HIPAA Omnibus Rule Penalties
With penalties ranging from $100 to $50,000 for first violations up to $1.5 million for repeated violations yearly, it is imperative that medical service providers and business associates understand and avoid the Omnibus Rule penalty system.
With the continuing conversion to fully digital, electronic patient records, practice and third-party IT providers are particularly concerned with the additional Omnibus Rule penalties. The probability of PHI breaches is much higher with IT than with most other medical practice personnel.
Consider these steps, at a minimum, to minimize the potential for rule violations.
- Medical service providers and practice managers must gain good understanding of important provisions of the HIPAA Omnibus Rule. While a number of sources have made valiant attempts at summarizing the key pitfalls of the 500-page Omnibus Rule, confusion still reigns in many practices. It's imperative that providers do whatever it takes to understand the rule provisions.
- Thoroughly educate billing, coding and administrative staff on the major provisions and pitfalls with the new rule. Once there is understanding, it's equally critical to train and educate all practice staff and business associates. This is ground zero for HIPAA PHI breaches.
- Prepare properly for RAC and HIPAA audits that may come. Always an important plan, new heavy rule penalties make it imperative to prepare for outside audits. Since the penalties apply for human error, not just willful violation, practices must minimize all mistakes, however seemingly minor.
- Medical providers still unsure of the new regulations, interpretations, definitions and/or penalties should consult with external advisors to clear away any confusion. Service providers must check their egos at the door; the penalties are too severe. Medical providers should not hesitate to get outside help if major HIPAA Omnibus provisions remain a bit "cloudy." It is simply not worth the risk of violations.
- Arrange for top legal counsel representation should potential violations be alleged. Find legal counsel that understands the new rule regulations, definitions and penalties. Arrange an "as needed" agreement with a legal expert, who also understands the appeal process, should disputed alleged violations occur.
Avoiding HIPAA Omnibus Rule penalties is a must have primary goal of all medical service providers and practice managers. Taking these steps will help eliminate most potential violations. Properly preparing to defend alleged violations is just as vital.