HIPAA Omnibus Final Rule Improves Patient Rights
Healthcare organizations and their business associates are facing fines for non-compliance following the introduction of new regulations which protect the privacy of patients and the security of their data. The Omnibus Final Rule came into effect this year and covered organizations were required to update procedures and policies and comply with the new regulations by September 23, 2013. The new changes have been criticized by some members of the healthcare community; however the changes expand patient rights and allow them to have much greater autonomy and make decisions about how and what is communicated to them and the channels that can be used. If a patient is comfortable receiving information via E-mail, they are allowed to continue to use that medium to communicate with their healthcare providers or care team and information can be sent by healthcare professions to patients provided that they have been made aware of the risks. If it is explained that the medium is not totally secure and there is a chance that their data could be viewed by other people and they accept the...
Google to Sign BAA to Make its Apps HIPAA Compliant
Many healthcare organizations were unwilling to use Google Apps because under the new HIPAA regulations, Google would be required to sign a Business Associate agreement; something the internet giant has so far failed to do. Google has now agreed to remove this barrier and sign a BAA for the very first time, ensuring its Apps are fully HIPAA-compliant. This is expected to see more healthcare organizations take advantage of the services it offers. The Health Insurance Portability and Accountability Act of 1996 requires healthcare organizations to restrict access to electronic health records and identifiable information. Healthcare organizations are accountable for any data breaches, accidental or deliberate, and the disclosure of individually identifiable health information (IIHI) and protected health information (PHI) to any unauthorized individual. Protected information includes the names and contact details of patients, their health information, financial details relating to services received and medical insurance information. Under HIPAA regulations, if any of this data needs to...
HHS Publishes Guidance on how the HIPAA Privacy Rule Applies to Refill Reminders
The HIPAA Privacy Rule gives individuals greater control over how their medical data can be used and disclosed to third parties. The Rule prohibits the disclosure or use of patient PHI for the purposes of marketing. Before health information can be used to market products, services or pharmaceuticals to a patient, a written authorization must be provided stating that the patient opted in for this service. The purpose of the Privacy Rule is to offer patients better protection; however, the legislation should not interfere with patients receiving the care they need. Oftentimes, communications must be sent to patients advising them of medical matters, services, and even products. While there may be some overlap between marketing and general communications, provisions have been included in the legislation to take these into account. The HHS has now published further clarification on how the Privacy Rule applies to sending refill reminders and other communications that involve the provision of products and services, and explanations have been provided on exceptions to the Privacy Rule....
Omnibus Final Rule Now Enforceable
The HIPAA Omnibus Rule came into force in March this year, although the OCR gave covered entities a grace period in which to bring their organizations policies and procedures up to date with the new regulations. The Omnibus Rule expanded HIPAA to cover Business Associates of covered entities – and their subcontractors – with the 6 month grace period intended to give these newly covered organizations time to become compliant. That grace period expired today and the Omnibus Rule is now enforceable, with the OCR able to issue fines for any non-compliance issues it now discovers. The Omnibus Rule adds a number of security measures to ensure that private medical records are properly protected, including new restrictions on who is able to access those records. Breach Notification Rules have been updated and now presume that any unauthorized access of PHI is a reportable breach, and not just those which pose a significant risk of harm. Potential victims – as well as the OCR – must be notified of the breach within 60 days of its discovery. Any security breach must be now assessed to...
HHS Makes Final Updates to HIPAA Privacy and Security Rules
The HIPAA Omnibus Rule becomes enforceable this coming Monday, although the Department of Health and Human Services’ Office for Civil Rights has just announced that there will be a an enforcement delay for certain covered entities to give them more time to update their Notices of Privacy Practices. The introduction of the Omnibus Rule requires laboratories covered under HIPAA to update NPPs, although entities certified or exempt under the Clinical Laboratory Improvement Amendments (CLIA) will be given more time to update their NPPs, in addition to those organizations which have been relieved from the HIPAA Privacy Rule requirement to provide patients with access to their laboratory test results. The delay will not apply to laboratories which are part of larger healthcare organizations that do not have their own laboratory-specific NPPs. The delay was deemed necessary due to the requirement to update NPPs as part of the Omnibus Rule and CLIA, because of the proximity of the two rules. The Omnibus Ruling comes into force today, September 23, and CLIA, which amends § 164.524 of the...



