News

HIPAA omnibus rule: Compliance tips for provider preparedness

The HIPAA omnibus rule is here; set to go into effect Sept. 23. Attorney Adam Greene -- former federal HIPAA regulator and current partner at Davis Wright

    Requires Free Membership to View

Tremaine LLP -- broke down some of the key areas of the law for health care providers to consider while updating their compliance plans.

HIPAA compliance tips and strategies

ONC's page offers HIPAA guidance

Compliance tips for iPad security

HIPAA compliance requires data backup plan

"The wait is over … there are no more excuses for not jumping in and reassessing and approving your HIPAA compliance," Greene said in a webinar sponsored by data breach prevention and response services vendor ID Experts. While it would be impossible to be comprehensive in an hour-long presentation -- the HIPAA omnibus rule is 563 pages, after all -- Greene called attention to some HIPAA hot spots where this updated regulation shines a sharp spotlight and might change current compliance strategies:

  • Business associates and their subcontractors are now, in effect, covered entities. That means they are subject to random HIPAA compliance audits, too.
  • There are likely more business associates in your universe. Before, if you used or disclosed protected health information (PHI) on behalf of a covered entity, you were a business associate. That definition expands to now include any party who "creates, receives, maintains or transmits PHI" for a covered entity.
  • Rework those business associate contracts to include verbiage acknowledging they understand they now must comply with breach notification rules. In some cases, CMS grants a one-year grandfather period to remake those agreements with a deadline of Sept. 23, 2014.
  • Immunization records can be released to schools without authorization. Read the fine print here, too -- there are caveats.
  • PHI isn't PHI 50 years after a patient's death. Furthermore, a covered entity may disclose PHI to persons involved in the decedent's care or payment -- if that doesn't run contrary to the patient's prior expressed preference.
  • More rules around genetic information. First, genetic data is now health information. Second, a health plan (other than long-term care plans) may not use or disclose genetic information for underwriting purposes.
  • Rules about using PHI for fundraising and marketing have changed, as well as sale of PHI. Dive into these sections; some rules around fundraising have been loosened -- as long as the covered entity follows HIPAA rules that outline patient opt-out policies. Rules governing marketing with PHI and sale of PHI, however, have been tightened.
  • Non-disclosure of services paid out of pocket: Here's a data management puzzle for the CIO and HIM manager to solve together -- when patients fully pay out of pocket for care and request their health plans not know about it, the covered entity must comply. Unless, of course, non-disclosure is prohibited by law.
  • There's more to come. Missing in the HIPAA omnibus rule and yet to be issued by CMS include clarifications on: how covered entities will account for PHI disclosures and create PHI access reports; the "minimum necessary" standards of disclosure of PHI during the course of care; and an outline of what portion of penalties and settlements that the HHS Office of Civil Rights collects will be distributed to patients harmed by a data breach, and how that will happen.

Let us know what you think about the story; email Don Fluckinger, news director, or contact @DonFluckinger on Twitter.

This was first published in February 2013

Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.