Saturday, February 2, 2013
After three years and hundreds of proposed regulations, it’s finally here. On January 17, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released the final “Omnibus Rule” for the Health Insurance Portability and Accountability Act (HIPAA), which seeks to strengthen privacy and security protections, and has an effective date of March 26, 2013 (see final rule). Earlier this summer I documented some of the anticipated changes to the rule in my Circle briefing, New HIPAA Rules In The Wings – Are You Ready? all members – now that the rule is center stage, here is what provider organizations can expect.
Business associates – As expected, business associates of covered entities are directly liable for compliance with HIPAA, and the definition of who qualifies as a business associate has been expanded to include any entity that creates, receives, maintains or transmits protected health information (PHI) on behalf of a Covered Entity or an organized health care arrangement.
Breach notification – The rule requires covered entities and their business associates to provide notification when a breach of protected health information occurs. There is a specified protocol that includes notifying the press when a breach affects a certain number of patients. Enforcement of this has been significantly strengthened in the Final Rule.
Marketing & fundraising – There are more limitations on using PHI for marketing and fundraising purposes, starting with the requirement that prior patient authorization is required for all use of PHI in marketing. While PHI may be used in a fundraising environment with prior consent, the covered entity must offer the patient an “opt-out” option every time the information is used.
Expanded individual rights – The final rule offers additional protections and rights for individuals. Individuals have the right to a notice of privacy practices, can request restrictions on PHI use, request confidential communications of PHI, request and receive electronic access to PHI, request an amendment to their PHI, and receive a full disclosure of who has had access to their PHI.
Enforcement and compliance – The Office of Civil Rights (OCR) is enforcing this rule, handing out hefty fines even to small specialty providers, and the final omnibus ruling will now apply directly to Business Associates, with civil money penalties for violations due to “willful neglect.”
Genetic Information Nondiscrimination Act – The ruling strengthens privacy protections for genetic information previously mandated by Congress in The Genetic Information Nondiscrimination Act (GINA).
Health and human service organizations should note the more stringent final rules and incorporate this in their HIPAA compliance program (much) sooner, rather than later.
Lisette Wright, M.A.
Senior Associate, OPEN MINDS
For another free resource, see: Just When You Thought HIPAA Didn’t Matter all members
This is free for the next sixty days to all registered OPEN MINDS Circle members.