MEDICAL PRACTICES MUST COMPLY WITH THE HIPAA OMNIBUS RULE
The Health Insurance Portability and Accountability (HIPAA) Omnibus Rule, enacted in March, includes expanded obligations of physicians and other health care providers to protect patients’ protected health information (PHI). Obligations have been extended from covered entities to other individuals and companies who, as Business Associates (BA), have access to PHI. Increase in the penalties for violations under any of these obligations will be applied under the Omnibus Rule.
The Omnibus Rule goal is to further protect patient privacy and safeguard patients’ health information through our digital age with increased protection and control of personal health information and increased accountability for BA. The Omnibus Rule has put in place a number of legislation that range from expanding individual patient rights to their PHI, to determining the use of PHI for employee training, marketing, fundraising, and researching purposes, and notification plan for breaches. BA relationships and agreements should also be reviewed for compliance. Of importance are those BA agreements entered before January 25, 2013.
The requirements needed to comply with the HIPAA Omnibus Rule:
- Review BA agreement to abide with new Omnibus Rule and review existing agreements and contractor arrangements to determine compliance.
- Update HIPAA policies and procedures to address response to potential breaches of unsecured PHI.
- Update, post and distribute Notices of Privacy Practice.
- Put in place restrictions on the use of PHI for marketing, sales, and fundraising.
- Train medical practice staff on new obligations. Training must be documented. If it is not documented, it did not happen.
These existing BA agreements entered before January 25, 2013 remain compliant until changed or renewed, or by September 22, 2014.
Enforcement efforts begin September 23, 2013, and the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) will audit and penalize covered entities for willful neglect after the deadline with a maximum penalty of up to $1.5 million per violation.
At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.
For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.
At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro