HIPAA Omnibus Rule Comes into Force

The HIPAA Omnibus Rule was published on Jan 25, 2013 by the Department of Health and Human Services (HHS) as an amendment to the Health Insurance Portability and Accountability Act (HIPAA). The new rule came into force on March 26, 2013 and modifies existing HIPAA regulations to provide greater protection of patient data; extending the reach of HIPAA and modifying regulations to bring them in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HIPAA Omnibus Rule contains many amendments, although it introduces four new rules:

  1. The HIPAA Privacy, Security and Enforcement regulations have been updated as follows:
    1. Liability for HIPAA compliance extended to include business associates and subcontractors
    2. Sale of PHI prohibited without authorization and the use of PHI for marketing or fundraising has been prohibited.
    3. Greater powers for patients allowing them access to their electronic medical and health data, while restricting information which must be disclosed to a health plan if treatment has been paid in full by the patient.
    4. Notices of Privacy Practices must be modified by HIPAA-covered organizations
    5. Clarifies the procedure for identifying privacy and security breaches and when they are reportable by business associates and other covered entities.
  2. Introduction of a tiered structure of financial penalties under HITECH
  3. HITECH breach notification rules have been clarified to help healthcare organizations assess whether a security breach must be reported.
  4. HIPAA Privacy Rule modified in accordance with the Genetic Information Nondiscrimination Act, (GINA) as proposed in Oct 2009, to prevent the disclosure or use of genetic information for the purpose of underwriting health plans.

New Penalties for HIPAA Security Breaches

Violation of the Health Insurance Portability and Accountability Act (HIPAA) will see a financial penalty incurred of between $100 and $50,000 for each individual violation if it can be established the organization has acted with a reasonable amount of diligence and the breach occurred without the knowledge of the entity concerned.

In the case of a rule violation due to reasonable cause the penalty rises to between $1,000 and $50,000 per violation, provided there was no willful neglect. In cases of willful neglect the penalty will be between $10,000 and $50,000 per offence. A minimum fine of $50,000 for each violation up to a maximum annual penalty of $1.5 million per annum will apply in cases of willful neglect where there was no timely response to address a security breach.

Privacy, Security and Enforcement Rules for Breaches

A breach notification must be issued unless the organization or a business associate can demonstrate with reasonable certainty that no PHI has been accessed by – or disclosed to – an unauthorized individual. Proof must also be provided to support this. Business associates must determine the nature of any data accessed, whether personal identifiers have been viewed, who the PHI was displaced to, the risk to patients and whether that risk has been mitigated.

Who Does the Omnibus Rule Affect?

Physicians and healthcare professionals who transmit or store electronic health information together with any business associates who receive, transmit or maintain PHI data records are covered under HIPAA, and therefore the new Omnibus Rule will be applicable.

Business associates or any entity that requires access to PHI or provides data transmission services, offers a personal health record on behalf of a HIPAA-covered entity or is a subcontractor with access to PHI must also comply with the Omnibus Rule.

The Omnibus Rule constitutes a material change, and as such requires an update of the Notices of Privacy Protection by covered entities. Healthcare organizations and other covered entities have until Sept 23, 2013 to update NPP’s and implement the new rules. After this date a failure to implement the changes will be deemed non-compliance and is likely to incur financial penalties.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.