What You Need to Know About the HIPAA Omnibus Final Rule-Part 3

Thursday, September 26, 2013
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Health Insurance and Portability and Accountability Act (HIPAA) Privacy and Security Rules were amended by an Omnibus Final Rule published by the U.S. Department of Health and Human Services (HHS) in January 2013. The most significant changes involve business associates who are now directly subject to the mandates of the HIPAA Privacy and Security Rules and HIPAA enforcement. In addition, covered entities will need to evaluate changes to the breach notification rule, individual rights, additional requirements for Notices of Privacy Practices (NPPs) and the guidelines around the use of protected health information (PHI) for marketing and fundraising initiatives.

By September 23, 2013, hospitals, physicians, covered entities and business associates must comply with the HIPAA Omnibus Final Rule.

This is the third in a series of blogs that highlight important changes health care providers, covered entities and business associates should keep in mind to ensure compliance. Click here to read part one, and click here for part two.

Notices of Privacy Practices.

The HIPAA Omnibus Final Rules includes additional requirements for NPPs.

-  The Final Rule requires entities to modify certain elements of their NPPs and redistribute those revised forms to each individual who is the subject of PHI. The notice must describe:
        1.  The uses and disclosures of PHI that may be made by the covered entity;
        2.  The individual’s rights; and
        3.  The covered entity’s legal duties with respect to the PHI.
-  The revisions to the rules governing NPPs specify:
1.  The sale of PHI and the use of such information for paid marketing requires authorization from the patient;
2.  Other uses and disclosures not described in the NPP will be made only with authorization;
3.  Individuals have the right to opt-out of fundraising communications; and
4.  Covered entities must notify affected individuals of breaches of their PHI.

Covered entities should review and revise the content of their NPPs, as well as the process associated with NPP distribution to become compliant with the Omnibus Final Rule before the September 23, 2013, compliance date.  

Enforcement of the Omnibus Final Rule.

The Omnibus Final Rule clarifies the parameters in which HHS will investigate a potential violation or initiate a compliance review.

HHS is required to investigate a complaint if a preliminary review of the fact indicates a possible HIPAA violation due to willful neglect.

HHS must conduct a compliance review to determine whether a covered entity or     business associate is complying with HIPAA when a preliminary review of the fact indicates a possible violation due to willful neglect.

-  Penalties for noncompliance with the Final Rule are based on the level of negligence with a maximum penalty of $1.5 million per violation.

Impact of Final Rule on Covered Entities and Business Associates.

The Omnibus Rule significantly strengthens HIPAA enforcement, which should concern all covered entities and business associates. Over the past couple of years, we’ve seen the Office of Civil Rights (OCR) become more aggressive in enforcing HIPAA and now has a more robust enforcement rule at its disposal. Therefore, it is now more important than ever for covered entities and business associates to understand their obligations under HIPAA and have compliance programs in place to help make sure those obligations are met.

Avoid HIPAA Violations: Get a HIPAA Risk Assessment.

Since the HIPAA laws are undergoing an overhaul on September 23, 2013, you need to edit your privacy forms and procedures. Many health providers simply don't have the time to re-review their policies and revise documents. A HIPAA risk assessment is a thorough review and analysis of areas where you may have a risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. A HIPAA risk assessment can significantly reduce your exposure to regulatory and litigation sanctions.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your risk assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? Call an experienced health law attorney to complete a risk assessment of your practice today. To learn more on HIPAA risk assessments, click here to read a previous blog.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.
The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Tag Words: Health Insurance Portability and Accountability Act (HIPAA), HIPAA Omnibus Rule, September 23, HIPAA compliance, HIPAA compliance date, changes to HIPAA, data security, protected health information (PHI), Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), Health Information Technology for Economic and Clinical Health (HITECH), patient privacy, patient rights, HIPAA compliance audit, HIPAA compliance, privacy, defense attorney, defense lawyer, HIPAA attorney, HIPAA lawyer, compliance plans, The Health Law Firm

"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Like this blog? Add your public comments:

Items in bold indicate required information.