What You Need to Know About the HIPAA Omnibus Final Rule-Part 1

Tuesday, September 24, 2013
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were amended by an Omnibus Final Rule published by the U.S. Department of Health and Human Services (HHS) in January 2013. The Omnibus Final Rule marks the most significant changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes greatly enhance a patient’s privacy rights and protections, and also strengthen the ability to enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.

The most significant changes involve business associates who are now directly subject to the mandates of the HIPAA Privacy and Security Rules and HIPAA enforcement. In addition, covered entities will need to evaluate changes to the breach notification rule, individual rights, additional requirements for Notices of Privacy Practices (NPPs) and the guidelines around the use of protected health information (PHI) for marketing and fundraising initiatives.

The HIPAA Omnibus Final Rule will go into effect on September 23, 2013. By this date, hospitals, physicians and all covered entities must comply with the HIPAA Omnibus Final Rule. This blog series will highlight important changes that health care providers, covered entities and business associates should keep in mind to ensure compliance.


Highlights of the Changes for Business Associates.

The Omnibus Final Rule expands HIPAA’s coverage to directly regulate business associates and other entities.

-  The definition of a business associate in the Omnibus Final Rule has been broadened to include subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate. A subcontractor is any downstream entity that has no direct contractual relationship with a covered entity, but has been tasked by a business associate to perform a function, activity or service on behalf of the covered entity or business associate.

-  Business associates and their subcontractors are now directly governed by HIPAA. This means business associates will be subject to potential criminal and civil sanctions for violations of HIPAA Privacy and Security Rules to the same capacity as covered entities.
    
-  The Final Rule enhances the responsibility of covered entities that rely on business associates. If a covered entity knows of a pattern of activity or practice of a downstream contractor that constitutes a material breach or violation of the downstream contract, the covered entity must take steps to cure the breach or end the violation. If those steps are unsuccessful, the covered entity must end the contract.

Covered entities and business associates will need to address the significant changes to the regulations of business associates. It is also important for business associates to immediately begin reviewing their privacy and security policies and develop programs to comply with the Omnibus Final Rule. Enforcement against covered entities and business associates begins September 23, 2013.


Marketing and Fundraising.


The Omnibus Final Rule sets new regulations for how patient information can be used for marketing and fundraising.

-  The Final Rule sets new limits on how information can be used and disclosed for marketing and fundraising purposes.

- Patients’ PHI cannot be sold without permission from the patient under the Final Rule.

-  NPPs must also inform individuals that a covered entity may contact patients to raise funds, and the patient has the right to opt out of receiving such communications.

Covered entities should now be modifying and implementing new policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities.


More on the HIPAA Omnibus Final Rule to Come.

In future blogs, we will continue to highlight important changes that health care providers, covered entities and business associates should keep in mind to ensure compliance of the HIPAA Omnibus Final Rule by September 23, 2013.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

 
The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
 
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.


About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.


Tag Words: Health Insurance Portability and Accountability Act (HIPAA), HIPAA Omnibus Rule, September 23, HIPAA compliance, HIPAA compliance date, changes to HIPAA, data security, protected health information (PHI), Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), Health Information Technology for Economic and Clinical Health (HITECH), patient privacy, patient rights, HIPAA compliance audit, HIPAA compliance, privacy, defense attorney, defense lawyer, HIPAA attorney, HIPAA lawyer, compliance plans, The Health Law Firm
"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.
9/24/2013

Like this blog? Add your public comments:

Items in bold indicate required information.