15 Things to Know About the HIPAA Omnibus Final Rule Before Sept. 23
By Sept. 23, hospitals and physicians must comply with the HIPAA omnibus final rule, which strengthens patient privacy protections and provides patients with new rights to their protected health information.
Here are some highlights from the omnibus final rule healthcare providers and covered entities should be mindful of to ensure compliance by Sept. 23.
1. The final rule expands patient rights by allowing them to ask for a copy of their electronic medical record in electronic form.
2. Under the final rule, when patients pay out of pocket in full, they can instruct their provider to refrain from sharing information about their treatment with their health plan.
3. If a Medicare beneficiary requests a restriction on the disclosure of PHI to Medicare for a covered service and pays out of pocket for the service, the provider must also restrict the disclosure of PHI regarding the service to Medicare.
4. The final rule sets new limits on how information can be used and disclosed for marketing and fundraising purposes, and it prohibits the sale of an individuals' health information without their permission.
5. Penalties for noncompliance with the final rule are based on the level of negligence with a maximum penalty of $1.5 million per violation.
6. The breach notification final rule was amended with a requirement to determine the breach's "risk of compromise" rather than harm. "Compromise" was considered a more objective test than harm. Thus, breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates a low probability that the PHI has been compromised.
7. To determine whether there is a low probability that PHI has been compromised, the covered entity or business associate must conduct a risk assessment that considers at least each of the following factors:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk to the PHI has been mitigated.
8. The final rule changed what incidents are exceptions to the definition of "breach." Before, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain any birthdates or ZIP codes. Under the final rule, breaches of limited data sets — regardless of their content — must be handled like all other breaches of PHI.
9. Providers and covered entities still have a safe harbor, in which an unauthorized disclosure only rises to the level of a breach — thereby triggering notification requirements of the HITECH Act — if the PHI disclosed is "unsecured."
10. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the secretary through published guidance.
11. Requirements for methods of breach notification remain unchanged.
That is, providers and covered entities most provide notice to individuals, the media (if breach affects more than 500 residents of a state or smaller jurisdiction) and HHS (if breach affects more than 500 individuals regardless of location). Business associates, or people or organizations that conduct business with the covered entity that involves the use or disclosure of individually identifiable health information, must also provide notice to covered entities no later than 60 days after the discovery of a breach of unsecured PHI. (Read more about breach notification rules.)
12. Covered entities' Notice of Privacy Practices forms need to inform patients that they will be notified if their PHI is subject to a breach. NPPs must also inform individuals that a covered entity may contact them to raise funds, and the individual has a right to opt out of receiving such communications.
13. Business associate agreements and policies and procedures must address the prohibition on the sale of patients' PHI without permission.
14. Covered entities must modify and implement policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities.
15. Covered entities' business associate agreements and policies and procedures must address the expanded rights of individuals to restrict disclosures of PHI.
More Articles on HIPAA:
© Copyright ASC COMMUNICATIONS 2012. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.
New from Becker's Hospital Review