The HIPAA omnibus rule is here; set to go into effect Sept. 23. Attorney Adam Greene -- former federal HIPAA regulator and current partner at Davis Wright Tremaine LLP -- broke down some of the key areas of the law for health care providers to consider while updating their compliance plans.
"The wait is over … there are no more excuses for not jumping in and reassessing and approving your HIPAA compliance," Greene said in a webinar sponsored by data breach prevention and response services vendor ID Experts. While it would be impossible to be comprehensive in an hour-long presentation -- the HIPAA omnibus rule is 563 pages, after all -- Greene called attention to some HIPAA hot spots where this updated regulation shines a sharp spotlight and might change current compliance strategies:
- Business associates and their subcontractors are now, in effect, covered entities. That means they are subject to random HIPAA compliance audits, too.
- There are likely more business associates in your universe. Before, if you used or disclosed protected health information (PHI) on behalf of a covered entity, you were a business associate. That definition expands to now include any party who "creates, receives, maintains or transmits PHI" for a covered entity.
- Rework those business associate contracts to include verbiage acknowledging they understand they now must comply with breach notification rules. In some cases, CMS grants a one-year grandfather period to remake those agreements with a deadline of Sept. 23, 2014.
- Immunization records can be released to schools without authorization. Read the fine print here, too -- there are caveats.
- PHI isn't PHI 50 years after a patient's death. Furthermore, a covered entity may disclose PHI to persons involved in the decedent's care or payment -- if that doesn't run contrary to the patient's prior expressed preference.
- More rules around genetic information. First, genetic data is now health information. Second, a health plan (other than long-term care plans) may not use or disclose genetic information for underwriting purposes.
- Rules about using PHI for fundraising and marketing have changed, as well as sale of PHI. Dive into these sections; some rules around fundraising have been loosened -- as long as the covered entity follows HIPAA rules that outline patient opt-out policies. Rules governing marketing with PHI and sale of PHI, however, have been tightened.
- Non-disclosure of services paid out of pocket: Here's a data management puzzle for the CIO and HIM manager to solve together -- when patients fully pay out of pocket for care and request their health plans not know about it, the covered entity must comply. Unless, of course, non-disclosure is prohibited by law.
- There's more to come. Missing in the HIPAA omnibus rule and yet to be issued by CMS include clarifications on: how covered entities will account for PHI disclosures and create PHI access reports; the "minimum necessary" standards of disclosure of PHI during the course of care; and an outline of what portion of penalties and settlements that the HHS Office of Civil Rights collects will be distributed to patients harmed by a data breach, and how that will happen.
ONC's page offers HIPAA guidance
Compliance tips for iPad security
HIPAA compliance requires data backup plan