The HIPAA omnibus rule is here; set to go into effect Sept. 23. Attorney Adam Greene -- former federal HIPAA regulator and current partner at Davis Wright
HIPAA compliance tips and strategies
ONC's page offers HIPAA guidance
Compliance tips for iPad security
HIPAA compliance requires data backup plan
"The wait is over … there are no more excuses for not jumping in and reassessing and approving your HIPAA compliance," Greene said in a webinar sponsored by data breach prevention and response services vendor ID Experts. While it would be impossible to be comprehensive in an hour-long presentation -- the HIPAA omnibus rule is 563 pages, after all -- Greene called attention to some HIPAA hot spots where this updated regulation shines a sharp spotlight and might change current compliance strategies:
- Business associates and their subcontractors are now, in effect, covered entities. That means they are subject to random HIPAA compliance audits, too.
- There are likely more business associates in your universe. Before, if you used or disclosed protected health information (PHI) on behalf of a covered entity, you were a business associate. That definition expands to now include any party who "creates, receives, maintains or transmits PHI" for a covered entity.
- Rework those business associate contracts to include verbiage acknowledging they understand they now must comply with breach notification rules. In some cases, CMS grants a one-year grandfather period to remake those agreements with a deadline of Sept. 23, 2014.
- Immunization records can be released to schools without authorization. Read the fine print here, too -- there are caveats.
- PHI isn't PHI 50 years after a patient's death. Furthermore, a covered entity may disclose PHI to persons involved in the decedent's care or payment -- if that doesn't run contrary to the patient's prior expressed preference.
- More rules around genetic information. First, genetic data is now health information. Second, a health plan (other than long-term care plans) may not use or disclose genetic information for underwriting purposes.
- Rules about using PHI for fundraising and marketing have changed, as well as sale of PHI. Dive into these sections; some rules around fundraising have been loosened -- as long as the covered entity follows HIPAA rules that outline patient opt-out policies. Rules governing marketing with PHI and sale of PHI, however, have been tightened.
- Non-disclosure of services paid out of pocket: Here's a data management puzzle for the CIO and HIM manager to solve together -- when patients fully pay out of pocket for care and request their health plans not know about it, the covered entity must comply. Unless, of course, non-disclosure is prohibited by law.
- There's more to come. Missing in the HIPAA omnibus rule and yet to be issued by CMS include clarifications on: how covered entities will account for PHI disclosures and create PHI access reports; the "minimum necessary" standards of disclosure of PHI during the course of care; and an outline of what portion of penalties and settlements that the HHS Office of Civil Rights collects will be distributed to patients harmed by a data breach, and how that will happen.
This was first published in February 2013