Share this article on:
The HIPAA Omnibus Rule came into force in March this year, although the OCR gave covered entities a grace period in which to bring their organizations policies and procedures up to date with the new regulations.
The Omnibus Rule expanded HIPAA to cover Business Associates of covered entities – and their subcontractors – with the 6 month grace period intended to give these newly covered organizations time to become compliant. That grace period expired today and the Omnibus Rule is now enforceable, with the OCR able to issue fines for any non-compliance issues it now discovers.
The Omnibus Rule adds a number of security measures to ensure that private medical records are properly protected, including new restrictions on who is able to access those records. Breach Notification Rules have been updated and now presume that any unauthorized access of PHI is a reportable breach, and not just those which pose a significant risk of harm. Potential victims – as well as the OCR – must be notified of the breach within 60 days of its discovery.
Any security breach must be now assessed to determine if it is reportable using the following four criteria: The nature of the data exposed, the unauthorized person who accessed – or could potentially access – the data, whether the PHI was acquired and/or viewed and the extent to which the organization has been able to mitigate any damage caused. Prior to the introduction of the new final rule, there must have been a risk of harm before a breach was reportable whereas now the breach is reportable unless it can be established and proven that the risk of data being compromised is low.
The requirement for breach reporting under past legislation was dictated by the extent of data which was exposed. Previously, personal data such as dates or birth and Social Security numbers must have been exposed for notifications to be issued, whereas now, even the exposure of limited data with no dates of birth or Social Security numbers must be treated as a full data breach.
Notices of Privacy Practices must be updated under the new rule, which requires individuals to be informed about how they will be contacted by the covered entity and under what circumstances and they should now be allowed to opt out of receiving correspondence. The use of Protected Health Information has also been restricted and cannot be used for marketing purposes, while the sale of PHI has been prohibited.
Other changes serve to increase patient rights to access their health information and limits to whom their information can be disclosed. Patients can request that Medicare is not informed of any medical services that have been received and paid for in full by the patient, and similarly a request can be made to a healthcare provider not to disclose details of medical treatments to their health plan if they have been paid for in full by the patient out of their own pockets.
Prior to the introduction of the new rule, Business Associates of covered entities could not be held liable for HIPAA violations and neither could their covered entity if it could be established that they were unaware of any pattern or practice that violated their business agreement (provided they have complied with HIPAA Privacy and Security Rules). The Omnibus Rule removes this exception and Business Associates can be held liable for non-compliance issues and data breaches, provided they acted in the capacity of an agent of the covered entity.
The OCR will be enforcing the Omnibus Rule, although it is not expected to issue any financial penalties immediately; however fines of up to $1.5 million per violation can be issued by the OCR for non-compliance issues. It is therefore essential that all covered entities which have not yet implemented the changes mandated by the Omnibus Rule do so immediately and check their Business Associate agreements to ensure that they have been updated to take the Omnibus changes into account.