HIPAA Omnibus Rule: How Does it Affect HIPAA and HITECH?
On January 25, 2013, the Omnibus Rule under the Health Information Technology for Clinical and Economic Health (HITECH) Act was released.
The Omnibus Rule aimed to protect patients’ health information and safeguard patient privacy in an increasingly dangerous digital world.
The rule made lots of significant amendments to the security provisions and privacy of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Changes Brought by the HIPAA Omnibus Rule
1. Breach Notification
The Omnibus Rule expands the definition of “breach” of unsecured protected health information (PHI). This brings about more circumstances in which business associates and covered entities must give notice of a breach.
The HITECH Act defines a “breach” as the unauthorized access, acquisition, use, or disclosure of protected health information that compromises the security or privacy of such information.
The interim final rule requires covered entities and business associates to perform a risk assessment. Also, a notification is required only if the incident resulted in a significant risk of financial, reputational, or other harm to the individual.
The Omnibus Rule removes the harm standard of the interim rule which stated that any use or disclosure of PHI not permitted by HIPAA is a breach. This is so unless the business associate or covered entity demonstrates a low probability that the PHI has been compromised.
This demonstration must be based on a risk assessment that considers at least the following factors:
- The extent and nature of the PHI involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized individual to whom the disclosure was made or who used PHI.
- Whether the PHI was viewed or acquired.
- The extent to which the risk to the PHI was used.
More unauthorized disclosures and uses of PHI will likely need to be reported to the Office for Civil Rights (OCR) under the final rule and the affected individuals.
The Omnibus Rule also eliminates a provision in the interim final rule that exempts improper uses or disclosures of a limited data set from the breach notification requirements.
2. Business Associates
Many of the most important changes impact organizations and business associates that use and disclose PHI to provide administrative services to covered entities.
The Omnibus Rule demands that business associates have the obligation to enter into and follow business associate agreements with each covered entity.
Business associates may disclose and use PHI only as required or permitted by their business associate contracts or as required by law.
It will be important to make sure that business associate agreements describe all the contemplated uses and disclosures of PHI by the business associate itself.
The Omnibus Rule also makes business associates subject to specific provisions of the HIPAA security rule. As a result, business associates must comply with the Security Rule standards addressing administrative, physical, and technical safeguards to protect electronic PHI.
The Omnibus Rule extends the reach of HIPAA’s business associate requirements by broadening the definition of a business associate. This is to include persons receiving protected health information from business associates performing:
- Legal;
- Actuarial;
- Consulting;
- Accounting;
- Data aggregation;
- Administrative;
- Management; and
- Accreditation or financial services.
3. Access to Electronic Protected Health Information
Under the Omnibus Rule, if an individual request their PHI in electronic format then the business associate or covered entity must provide the PHI in the electronic format. If the PHI is not in electronic format, then the PHI should be provided in a format as agreed by the individual and concerned party.
If the covered entities or business associates provide a patient with electronic access to PHI, the covered entity can charge the costs of labor and supplies. This covers everything associated with the preparation of the request.
4. Requests for Restrictions
The HITECH Act requires that when a patient requests a restriction on disclosure of their PHI, the covered entity must agree to the requested restriction. The request must pertain to disclosures of PHI to a health plan to carry out payment or health care operations.
And if the restriction applies to PHI that applies only to a service or health care item for which the provider has been paid out of pocket in full.
This was a huge change from the previous privacy rule provisions that said a covered entity was not required to agree to requested restrictions. HHS has added conforming language to the HIPAA privacy rule to implement this change.
5. Marketing
Image from Pixabay
Under HITECH, certain communications that encourage the use of a product or service are treated as marketing communications if the covered entity receives remuneration for making them.
Covered entities and business associates may provide refill reminders without authorization as long as it is reasonably related to the cost of making them.
Communications for treatment to provide health-related services provided by the covered entity are also permitted without authorization as long as the covered entity has not received payment.
6. Sales of PHI
The HITECH Act banned some sales of protected health information without express authorization. To ensure that this is implemented, the final rule requires covered entities to get authorizations for any disclosure of PHI. This is in exchange for direct or indirect remuneration unless an exception applies.
The authorization must define in clear terms that the covered entity will receive remuneration for the communication.
There are numerous exceptions, including public health activities, treatment, payment, sales of a covered entity, business associate arrangements, and providing information to individuals.
7. Fundraising
Under HITECH, covered entities or business associates that use individuals’ treatment dates and names to raise funds are required to provide a clear and conspicuous opportunity to opt-out of future fundraising communications.
The Omnibus Rule stipulates that each fundraising communication made to the individual must include the notice of the opportunity to opt-out.
The process for the individual to opt-out may not cause the individual to incur more than a nominal cost or undue burden.
8. Enforcement
The HHS Secretary must conduct a compliance review whenever a preliminary review of the facts indicates a possible violation by a covered entity or business associate due to willful neglect.
Formerly, under no circumstances should there be a compliance review. Generally, the Omnibus Rule expands the enforcement provisions of HIPAA to business associates.
The secretary may impose a civil money penalty against each business associate or covered entity if they violate any HIPAA rule.
Members of an affiliated covered entity or business associate are severely and jointly liable for penalties. Also, covered entities are liable for penalties based on the omissions or acts of any agent, including a business associate.
Conclusion
The most recent addition to HIPAA, Omnibus Final Rule, was passed to strengthen the protection of protected health information, especially in electronic form, as well as give patients more access to their individual health information.
The Omnibus final rule requires the healthcare industry to educate its patients about their disclosure and privacy rights. Patients should know how their information is used and shared, and how they can submit complaints pertaining to any privacy violations.