Health care providers and other covered entities and business associates can begin poring over the HIPAA omnibus rule, released Jan. 17 by the U.S. Department of Health & Human Services' Office for Civil Rights. The 563-page rule outlines OCR's data privacy and security enforcement strategies, which have been updated for the EHR era as mandated by the HITECH Act.
The proposed rule was released in July 2010, and the final rule was at the Office of Management and Budget (OMB) since March 2012, a stop that usually amounts to a few weeks before U.S. government agencies publish regulations in the Federal Register. But officials delayed the final release, as they sought to address stakeholder concerns regarding data breach thresholds and enforcement policies. In June, National HIT Coordinator Farzad Mostashari, M.D., predicted the Health Insurance Portability and Accountability (HIPAA) omnibus rule would be out by the end of the summer.
Now it's here, and the enforcement clock begins ticking. The omnibus rule goes into effect March 26, and covered entities have 180 days -- or until Sept. 22, 2013 -- to get into compliance. Here are 10 other pieces of information from the final rule for covered entities and their business associates to be aware of:
- According to a regulatory impact analysis contained in the rule, the Office of Civil Rights (OCR) estimates between 200,000 and 500,000 business associates of some 19,000 covered entities exist in the country. The American Hospital Association estimates there are not quite 6,000 registered U.S. hospitals.
- OCR sides with consumer advocates, who wanted to be sure all "electronic designated record sets" are available to patients. This decision goes against other industry stakeholders, who wanted to limit that requirement to access to electronic health records (EHRs).
- When a covered entity requires patients make a "written" request for their records, patients may now request their records electronically -- and sign those requests electronically -- if the organization chooses to support the technology.
- If a patient wants their data to be placed on an external media drive, like a thumb drive, providers are not mandated to accept the device if their organization has conducted a HIPAA risk analysis and found external drives to be a risk. However, if they reject a patient's thumb drive, they can't require the patient to purchase one the covered entity provides. Instead, they have to find an alternative distribution method, such as email.
- The OCR did not define EHRs, but clarified that patients do have access to electronic copies of their health information wherever the data is housed.
- Covered entities are not liable for unauthorized access to unencrypted emails if patients want to receive their data that way. OCR said in the rule: "We do not expect covered entities to educate individuals about encryption technology and information security. If individuals are notified of the risks, and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request [or once it's delivered]."
- A provider can wait 30 days between a patient's request for data and delivering it, with a 30-day extension when necessary. But OCR hopes organizations don't wait that long. "We encourage covered entities to provide individuals with access to their information sooner, and to take advantage of technologies that provide individuals with immediate access to their health information."
- Patient safety organizations, health information organizations (HIOs), e-prescribing gateways and "other persons that facilitate data transmission", as well as personal health records vendors, are explicitly named as business associates. OCR chose the term "HIO" because it includes both health information exchanges and regional health information organizations.
- Subcontractors of business associates are now the same category as business associates, in the compliance sense.
- Many factors will go into determining the size of fines. Three of them are: whether the covered entity or business associate had financial difficulties that affected compliance; whether the imposition of a civil money penalty would jeopardize the ability of the organization to continue to provide or pay for health care; and..."such other matters as justice may require."
The postal service, United Parcel Service, delivery truck line operators, etc. are not business associates as enumerated by OCR. Internet service providers "providing mere data transmission services" are breathing a sigh of relief, as they remain excepted, too, as the electronic equivalents of delivery services in the omnibus rule. SearchHealthIT had heard rumors a change was being debated behind the scenes. Stay tuned, though, as the HIPAA omnibus rule states, "We intend to issue further guidance in this area as electronic health information exchange continues to evolve."