A Definitive Explanation of the HIPAA Omnibus Rule
- Blake Rodocker
- June 19, 2014
This article applies to Covered Entities (any health care provider, health plan, or health care clearinghouse) and Business Associates (any person or entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity).
With new HIPAA regulations and enforcement procedures having taken effect last year, it is important for HIPAA-covered healthcare entities to reexamine their obligations and ensure that the proper safeguards are in place to conserve the privacy of their patients’ protected health information (PHI).
The biggest challenge for organizations is ensuring compliance with the new HIPAA Omnibus Rule, which became effective on March 26, 2013. Though the rule allowed covered entities and business associates (BA) 180 days to adhere to most of its provisions, now, months after the September 23 compliance deadline has passed, the pressure is on to get in compliance.
Below we’ll discuss a few of the main areas that physicians must focus on to comply with the new ruling.
How Does the HIPAA Omnibus Rule Affect Relationships With Business Associates?
Relationships with business associates can be a point of vulnerability for hospitals and physicians if the proper steps aren’t taken to ensure compliance at both ends.
While in the past, liability for data breaches fell on covered entities, with the new HIPAA rule things have changed. The most significant change, as far as business associates (BAs) are concerned, is the fact that the Omnibus Ruling makes BAs and subcontractors of BAs of covered entities directly liable for compliance with certain HIPAA Privacy and Security requirements.
This means that a subcontractor who creates, receives, maintains, or transmits PHI on behalf of a business associate is also considered a HIPAA business associate and is therefore “on the hook” for compliance with applicable rules (e.g. Breach Notification Rule, HIPAA Security Rule, HIPAA Privacy Rule, etc.).
Additionally, business associates are now required to put the necessary safeguards in place and have the proper documentation to ensure HIPAA compliance. This includes providing a Business Associate Agreement to the covered entities they work with, in addition to “satisfactory assurances” that their PHI will be protected as required by HIPAA rules. Business associates must get this same agreement and assurance from subcontractors.
Although contractors and subcontractors have been made directly liable, there has not yet been a lot of enforcement taking place. There has, however, been a significant increase in enforcement over the past year on covered entities. This means that if you are a covered entity and have not yet been contacted, you could be next in line; so it is better to deal with compliance now than to have to scramble at an unexpected time.
Privacy Breaches: Who Is Responsible?
Under the old standard, a reportable privacy breach was one that involved the “unauthorized use or disclosure of PHI that posed a significant risk of financial, reputational or other harm to the affected individual.” With the new HIPAA ruling, however, “all unauthorized uses and disclosures of PHI are presumed to be reportable breaches.” That is, unless a risk assessment is conducted and it is determined that there is a low probability that the PHI has been compromised.
While before, covered entities were fully responsible for breaches and expected to watch over their business associates, in the event of a data breach authorities will now go after the source of the violation, be it the covered entity, business associate or subcontractor.
As far as penalties go, the new HIPAA rule has set a formal penalty scheme for breaches and noncompliance. The four categories of violation include:
How to Ensure Your Healthcare Organization Is In Compliance
You can achieve compliance with the new HIPAA regulations using only free resources. The Department of Health and Human Resources offers this guide to conducting a risk analysis on your own. There are also affordable solutions from compliance experts who can take care of the process for you and provide a much higher level of assurance than you can get on your own. Prices range from about $500 to $3,000.
Just remember, remaining compliant is an ongoing process – and it is important to work only with business associates that are familiar with HIPAA privacy and security regulations. These contractors will not only have the proper agreements in place, but they will also be less likely to breach HIPAA law since they understand the risks. Many companies, such as web and email hosting vendors, are completely unfamiliar with HIPAA and all it entails; so be sure to ask about their HIPAA compliance policies before entering into any agreements.
This article was originally published on the MWE blog.