Should We Be Concerned about the New HIPAA Omnibus Rule?

February 18th, 2013 / By Camille Cohen

Well, that all depends. Just the sound of it could create fear in anyone, and to know that it introduced some of the most significant changes to HIPAA in years, one could easily be concerned. And before they published it in the Federal Register, over 500 pages to review seemed to be a daunting task. However, if you followed the changes to HIPAA within the Health Information Technology for Economic and Clinical Health (HITECH) Act and in the Proposed Rule modifying HIPAA for the HITECH Act, you are less likely to be caught by surprise with most of the Final Rule and may have already started to implement some of the provisions.

Modifications were made to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act and the Genetic Information Nondiscrimination Act. Just understanding when the Rule takes effect is important. The Department of Health and Human Services has determined an effective date with a compliance date six months later, offering organizations time to bring their processes within compliance with the new Rule. Thus, the important dates to remember are:

  • Effective Date: March 26, 2013
  • Compliance Date: September 23, 2013

Some of the significant changes within the rule are as follows:

  • Business Associates have new obligations under both the HIPAA Security and Privacy Rules; however, all obligations under the Privacy Rule do not apply to Business Associates. Business Associates may be liable for violating their agreed-upon uses or disclosures, for example, but are not required to have Notices of Privacy Practices. Business Associates may also be directly liable for civil money penalties under the new rule.
  •  Business Associates must now have written agreements with their subcontractors. The Business Associate Agreement to include the subcontractor is the responsibility of the Business Associate and not the Covered Entity (hospital, physician practice, etc.).
  • The trigger for Breach Notification changed from a subjective assessment of the significant risk of harm to a presumption that a breach requires notification unless the entity can demonstrate based upon a risk assessment that there is a low probability that protected health information (PHI) was compromised.
  • Use of PHI in Marketing and Fundraising was further defined to require authorizations and some provisions for the patient to be able to opt out. For the Sale of PHI, several areas were better defined, such as the remuneration to a covered entity (when it constitutes a sale and when it does not). For example, if the fee paid is a reasonable cost-based fee to prepare and transmit the data, it’s likely not a sale.
  • The Minimum Necessary Standard receives attention. This standard applies to Business Associates and to the use of Limited Data Sets since this data includes some PHI. The Office of Civil Rights plans to issue further guidance on the application of this standard in the future.
  • Requests for Restrictions on Disclosures of PHI to health plans. Since this provision was introduced in the HITECH Act, it has posed some concern. The provision allows for patients to request that a covered entity not disclose PHI to health plans for reasons of payment or health care operations unless required by law. The PHI pertains to a health care item or service for which the individual has paid the covered entity in full. The Final Rule clarifies that it is the individual’s obligation to notify those downstream providers of the restriction on the disclosure of PHI. That relieves the original provider from the responsibility of further restriction by others. The comments within the rule further explain that providers are not required to create separate medical records or segregate PHI but must flag the record in some way in order to comply with the restriction.
  • Patients’ right to access electronic PHI. The Privacy Rule has allowed individuals to review or obtain copies of their PHI if the information is maintained in a designated record set (i.e., medical record). The HITECH Act required that if PHI is maintained in an electronic health record (EHR), then the individual may obtain an electronic copy and direct the provider to transmit the copy to a person or entity. The Final Rule broadens this access right to all PHI maintained electronically by a covered entity. The patient can request a specific electronic format. The Covered Entity would be required to provide the information in the format as requested if possible and, if not, provide in another readable electronic format agreeable to both the Covered Entity and the individual. Some of the acceptable formats include: Microsoft Word or Excel, text, HTML or text-based PDF. Another change is that the 60-day time frame for providing access when PHI is not maintained or accessible to the Covered Entity on site was eliminated. The provider still has a one-time 30-day extension to respond to the request for access if needed. Depending upon the situation, charges for providing an electronic copy of PHI may apply (e.g., for electronic media, retrieval of the data, etc.).

Although it’s advisable to review what you have implemented based upon HITECH or the Proposed Rule, there does not seem to be great cause for concern within the Final Rule. And who knows? Once we are comfortable with this rule, it will probably be time for the release of the new Accounting for Disclosures requirement.

Camille Cohen is the Compliance Officer for 3M Health Information Systems.