What You Need to Know About the HIPAA Omnibus Final Rule-Part 2

Wednesday, September 25, 2013
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Health Insurance and Portability and Accountability Act (HIPAA) Privacy and Security Rules were amended by an Omnibus Final Rule published by the U.S. Department of Health and Human Services (HHS) in January 2013. By September 23, 2013, hospitals, physicians, covered entities and business associates must comply with the new changes.

The most significant changes involve business associates who are now directly subject to the mandates of the HIPAA Privacy and Security Rules and HIPAA enforcement. In addition, covered entities will need to evaluate changes to the breach notification rule, individual rights, additional requirements for Notices of Privacy Practices (NPPs) and the guidelines around the use of protected health information (PHI) for marketing and fundraising initiatives.

This is the second in a series of blogs that highlights important changes health care providers, covered entities and business associates should keep in mind to ensure compliance. Click here to read part one.

Security Breach Notification.

Under the Omnibus Final Rule, a breach is now defined as the acquisition, access, use or disclosure of PHI in a manner not permitted under the privacy rule, which compromises the security or privacy of the PHI.

-  The Final Rule changes what incidents are exceptions to the definition of a breach. Now breaches of limited data, regardless of their content, must be handled like all other breaches of PHI.

-  The breach notification was amended with a requirement to determine the breach's "risk of compromise" rather than harm. "Compromise" was considered a more objective test than harm. Therefore, breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates a low probability that the PHI has been compromised.

-  To determine whether there is a low probability that PHI has been compromised, the covered entity or business associate must conduct a risk assessment that considers at least each of the following factors:
1.  The nature and extent of the PHI involved, including the types of identifiers  and the likelihood of re-identification.
2.  The unauthorized person who used the PHI or to whom the disclosure was made.
3.  Whether the PHI was actually acquired or viewed.
4.  The extent to which the risk to the PHI has been mitigated.

-  Providers and covered entities still have a safe harbor, in which an unauthorized disclosure only rises to the level of a breach if the PHI disclosed is "unsecured."

-  Unsecured PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified through published guidance from the HHS. Click here to read more.

-  Requirements for methods of breach notification will not change. That is, providers and covered entities must provide notice to individuals, the media and HHS. Business associates, people or organizations that conduct business with the covered entity that involves the use or disclosure of individually identifiable health information, must also provide notice to covered entities no later than sixty (60) days after the discovery of a breach of unsecured PHI. (Read more about breach notification rules from the HHS.)

Patients’ Rights to Access PHI.

The Omnibus Final Rule greatly enhances patients’ privacy rights and protections.

-  Patients have the right to ask for a copy of their electronic medical records in electronic form.

- If the patient requests the PHI in a specific format, such as Word or HTML, the health plan must provide the information in the requested form as links or attachments.

-  The patient may be charged the reasonable cost of labor and supplies to produce the PHI in electronic form.

-  The patient is allowed to designate in writing that another individual (e.g., family member or spouse) is to receive the PHI.

-  Under the Final Rule, when patients pay out of pocket in full, they can instruct their provider to refrain from sharing information about their treatment with their health plan.

-  If a Medicare beneficiary requests a restriction on the disclosure of PHI to Medicare for a covered service and pays out of pocket for the service, the provider must also restrict the disclosure of PHI regarding the service to Medicare.

More on the HIPAA Omnibus Final Rule to Come.

In future blogs, we will continue to highlight important changes health care providers, covered entities and business associates should keep in mind to ensure compliance of the HIPAA Omnibus Final Rule by September 23, 2013. In the meantime it’s important to revise privacy forms, office procedures, and train employees on the changes. For assistance, contact an attorney experienced in HIPAA complaints, HIPAA violations and HIPAA risk assessments.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.
The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Tag Words: Health Insurance Portability and Accountability Act (HIPAA), HIPAA Omnibus Rule, September 23, HIPAA compliance, HIPAA compliance date, changes to HIPAA, data security, protected health information (PHI), Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), Health Information Technology for Economic and Clinical Health (HITECH), patient privacy, patient rights, HIPAA compliance audit, HIPAA compliance, privacy, defense attorney, defense lawyer, HIPAA attorney, HIPAA lawyer, compliance plans, The Health Law Firm

"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Like this blog? Add your public comments:

Items in bold indicate required information.