The Final Omnibus Rule Sept 23, 2013 is an important date for Medical Practices as this is the day when the government will start enforcing the Omnibus Rules changes made to the Health Insurance Portability and Accountability Act (HIPAA). The changes that were made as part of the Omnibus Rule relate to how medical practices are securing Protected Health Information (PHI), whether medical practices have updated the Business Associate (BA) agreements and what medical practices need to communicate with their patients in terms of their privacy rights.
The new changes under the final Omnibus Rule Sept 23, 2013 were put in effect in March of 2013. However, covered entities were given 6 months to review their HIPAA plans and comply. The department on Health and Human Services (HHS) updated the HIPAA regulations under the final Omnibus Rule as a way to account for the wider use of electronic health records by medical providers.
In order to comply with the new regulations medical practices are required to:
1.Perform a risk analysis to find out vulnerabilities with PHI. Medical practices are expected to document that they have completed a risk analysis. Practices that complete a risk analysis will have a risk management report that provides the vulnerabilities of their electronic PHI.
2.Encrypt devices that store PHI so that this information can’t be used in case that the devices are lost or stolen.
3.Develop and review policies and procedures that the medical practice will need to follow in the case that PHI is breached (lost, stolen or inappropriately disclosed).
4.Review the BA agreements with their current vendors. Updated BA agreements are required for all vendors that have access to PHI. Medical practices need to ensure that their BAs have put in place all the required safeguards to secure PHI.
The breach of PHI brings hefty fines to medical practices that are found in willful neglect. The fines range from $100 to $50,000. The fines can go higher depending on the size of the medical practice and the type of breach.
At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.
For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .
More information on the updates made under the omnibus rule visit: HHS
This post used as reference an article published by Medical Economics – A quick guide to HIPAA compliance for Physicians published on July 10, 2013.