Jan McDavid, General Counsel at HealthPort highlights some of key content in the new HIPAA omnibus final rules healthcare providers should understand.
On January 17, 2013, to much fanfare, HHS released its eagerly anticipated HIPAA omnibus rule, which dramatically amends the HIPAA Privacy, Security, Breach and Enforcement Rules. The effect on healthcare providers and their business associates should not be taken lightly. The new rule goes into effect on March 26, and covered entities and business associates (BAs) are expected to comply by September 23 – not a lot of time to get one’s ducks in a row. Obviously, healthcare providers need to understand the new rule – and the depth of its ramifications – post-haste.
HHS Secretary Kathleen Sebelius made clear the intent of the new rule in an introductory statement:
“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”
She went on to place the new rule in context:
“Much has changed in healthcare since HIPAA was enacted over 15 years ago. The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The impressive document, at 563 pages, proved challenging to decipher. I’ll help you cut to the chase by highlighting some of its key content:
- Business Associates (BAs) of covered entities are now directly liable for compliance with certain requirements of HIPAA Privacy and Security rules.
- The rule revises the definition of a “breach,” which will make the occurrence of breaches – and the subsequent notification of the breach — more frequent.
- The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization (although there are several exceptions to this rule about sale).
- The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which the individual has paid out of pocket in full.
- Covered entities are required to modify and redistribute their notice of privacy practices.
- Rules on patient authorizations and other requirements are modified to facilitate medical research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
- The HITECH Act interim enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.
In a nutshell, healthcare providers have lots of work to do. Most immediately, providers need to update their business associate agreement and breach analysis and notification processes.
The notification of breaches also gains importance under the new final rule. With a new study by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association showing that nearly 60% of organizations incurred a data breach within the last twelve months (and nearly 20% suffered multiple breaches), it makes sense for organizations to prepare themselves to react to inevitable breaches. And, as mentioned above, the rule’s expanded definition of “breach” will make breaches more numerous. Breaches are expensive. The same study showed that in 16% of breach occurrences, remediation costs were greater than $50,000. In 3% of occurrences, costs topped $500,000.
The new HIPAA omnibus rule will present challenges on multiple levels to healthcare providers as we all scramble to comply. Communicating requirements succinctly to BAs, updating your breach notification process, and keeping patient data organized and retrievable will go a long way in meeting these new challenges.
Jan P. McDavid, Esq. is the General Counsel and Chief Compliant Officer at HealthPort