HIPAA Omnibus Final Rule Improves Patient Rights

Healthcare organizations and their business associates are facing fines for non-compliance following the introduction of new regulations which protect the privacy of patients and the security of their data. The Omnibus Final Rule came into effect this year and covered organizations were required to update procedures and policies and comply with the new regulations by September 23, 2013.

The new changes have been criticized by some members of the healthcare community; however the changes expand patient rights and allow them to have much greater autonomy and make decisions about how and what is communicated to them and the channels that can be used.

If a patient is comfortable receiving information via E-mail, they are allowed to continue to use that medium to communicate with their healthcare providers or care team and information can be sent by healthcare professions to patients provided that they have been made aware of the risks. If it is explained that the medium is not totally secure and there is a chance that their data could be viewed by other people and they accept the risks, sending PHI via unencrypted E-mail would not violate any HIPAA regulations. Patients are permitted to take risks with their own data. Healthcare organizations are not.

Should any patient elect to receive unencrypted E-mails it is essential that authorization is obtained in writing, clearly stating the risks have been explained. While this is not stated explicitly in the legislation as being required, it would be unwise to send any PHI without having documentation to prove that the right questions have been asked and the patient understands that there are risks.

To what extent do the risks need to be explained? According to a statement issued by the DHSS in 2013, “We do not expect covered entities to educate individuals about encryption technology and the [sic] information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party.”

While E-mails are allowed and are even mentioned in the context of sending PHI to patients as requested, permission must be obtained prior to sending the E-mail. It is still not permitted to send E-mails under an opt-out policy. Patients must opt-in to receive Electronic communications.

State laws should also be investigated, as while HIPAA may make some provision for E-mail communication, individual States may impose tougher restrictions to control the release of patient data. State laws will apply when they increase the protection offered under HIPAA, with the Omnibus Final Rule considered to be a minimum national standard only.

It should be borne in mind that regardless of patient requests, any media used to send PHI can only be chosen if a business agreement is in place with the provider of the service. Under the Omnibus Rule, all business associates must sign an agreement and agree to comply with HIPAA data privacy and Security Rules. A message containing PHI sent to a patient via Skype, for example, would be a HIPAA violation even if the patient knew the risks and signed a document to that effect prior to the message being sent if no current business agreement is held.

The new rule may not be the easiest to implement and it may have considerable cost implications for healthcare organizations; however the legislation is necessary to ensure patient data is properly protected. The new Rule also clarifies communications of electronic PHI and gives patients much improved rights of access to any data held on them.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.