HIPAA OMNIBUS RULES AND THE PRIVACY AND SECURITY RULES
Covered entities should have updated their privacy and security rules to comply with the final HIPAA Omnibus rules as of September 23rd, 2013. The final rules became effective on March 26, 2013 but gave covered entities 180 days to comply with the rules. Covered entities that have not updated their privacy and security rules to comply with the final omnibus rules requirements need to do so immediately. Covered entities that have not updated their privacy and security rules run the risk of being found in willful neglect by the Department of Health and Human Services (HHS) and risk the chance of having to face a full HIPAA audit and pay high fines. According to the health of the Office of Civil Rights the final Omnibus Rules bring “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented”.
An important aspect of updating the HIPAA compliance program to meet the final Omnibus Rules requirements is to review the privacy and security rules. Some areas that must be reviewed and updated are: breach notification procedures, disclosures of Protected Health Information (PHI), marketing, the sale of PHI, fundraising and access rights to PHI.
The way to address breach notifications has changed with the final rules. Covered entities must notify patients whenever there is a breach to PHI. Breaches to PHI must be notified unless the covered entity can demonstrate that the PHI has not been compromised or that the chances of PHI being compromised are very small. The rules for breach notifications also apply to business associates. By conducting a risk assessment, covered entities and business associates can determine what is considered a breach and how to react to a breach. To illustrate, a common recommended practice to guard PHI is to encrypt all the electronic devices that have access to and store PHI. When an encrypted device gets stolen or lost, it can be assumed that the breach is unlikely to happen and a breach notification is not necessary.
Disclosures of PHI are an important aspect of the final omnibus rules. Patients have now the right to request that medical practices do not disclose their PHI for a specific service or treatment received to their health plans if they have paid for this particular visit out of pocket. So, covered entities must address its patients request to not disclose specific treatment PHI to health plans when the patients pay cash for the treatment. Covered entities must inform patients of treatments that need to be disclosed regardless of payment in instances where it is required by law.
There are cases where the covered entities have marketing agreements with providers of medical services such as pharmaceutical companies and medical device manufacturers where they are compensated for sharing treatment information for marketing purposes. As part of the final Omnibus rules, covered entities must get patient authorization when treatment communication are shared for marketing purposes. The American Medical Association states that Physician may tell patients about a third party product without the patient’s authorization when the physician does not get compensated for the information, when the physician tell the patient in person, when the patient is already being prescribed a medication, when the communication is done to promote health and when the communication involves a government program.
Covered entities must review their policies in the cases where they receive compensation for providing PHI to an external entity. Covered entities can’t sale PHI without their patient’s written authorization. As part of the final Omnibus Rules, covered entities that are compensated for the sale of PHI, must be authorized by their patients before they can disclose their PHI. Patients must be made aware when covered entities sale their PHI to external parties.
In cases where a covered entity engages in sending fundraising communications, they must update the fundraising forms so that patients can choose to opt out of receiving fundraising communications.
Patients have the right to request a copy of their PHI. Covered entities that use an EMR system to store patient information are now required to provide patients with their PHI EMR stored data upon request. Covered entities must provide the patients with their requested PHI within 30 days after the patient has made the request. Covered entities can request a 30-day extension. Covered entities must provide access to their EMR in the electronic format that the patient requests. The costs of obtaining the PHI information may be charged to the individual who is requesting the records.
Finally, covered entities must ensure that their staff is trained on all the new policies and procedures. The training must be completed on a yearly basis and it must be documented.
The new rules must be taken seriously as they have the potential for $1.5 million in fines and can put a covered entity out of business
At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.
At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro