The HIPAA Omnibus Rule comes into today, March 26, and amends existing HIPAA regulations to provide greater security for patient data; extending the reach of HIPAA and changing regulations to bring them in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The rule was signed in law on on Jan 25, 2013 by the Department of Health and Human Services (HHS) as an amendment to the Health Insurance Portability and Accountability Act (HIPAA).
The HIPAA Omnibus Rule contains many changes, although it introduces four new regulations:
- The HIPAA Privacy, Security and Enforcement regulations have been amended as follows:
- Liability for HIPAA compliance reached enhances to include business associates and subcontractors
- Sale of PHI illegal without authorization and the use of PHI for marketing or fundraising is not allowed.
- Improved powers for patients allowing them access to their electronic medical and health data, while restricting data which must be disclosed to a health plan if treatment has been paid entirely by the patient.
- Notices of Privacy Practices must be amended by HIPAA-covered groups
- Clarifies the process for identifying privacy and security violations and when they are reportable by business associates and other covered bodies.
- Initiation of a tiered structure of financial penalties under HITECH
- HITECH breach notification regulations have been explained to help healthcare organizations assess whether a security violation must be reported.
- HIPAA Privacy Rule modified in accordance with the Genetic Information Nondiscrimination Act, (GINA) as proposed in Oct 2009, to stop the disclosure or use of genetic datefor the purpose of underwriting health plans.
Violation of the Health Insurance Portability and Accountability Act (HIPAA) will see a financial penalty allied of between $100 and $50,000 for each individual violation if it can be ruled the organization has acted with a reasonable amount of diligence and the breach occurred without the knowledge of the body concerned.
In the case of a rule violation due to reasonable cause the penalty rises to between $1,000 and $50,000 per breach, provided there was no willful neglect. In cases of willful neglect the fine will be between $10,000 and $50,000 per offence. A minimum fine of $50,000 for each breach up to a maximum annual penalty of $1.5 million per annum will be applicable in cases of willful neglect where there was no speedy response to address a security breach.
A breach notification must be sent unless the organization or a business associate can show with reasonable certainty that no PHI has been accessed by – or disclosed to – an unauthorized person. Proof must also be provided to show this. Business associates must determine the nature of any data which was accessed, whether personal identifiers have been seen, who the PHI was displaced to, the risk to patients and whether that risk has been mitigated.
Physicians and healthcare workers who transmit or store electronic health information along with any business associates who receive, transmit or maintain PHI data records are included in HIPAA, and therefore the new Omnibus Rule will be applicable.
Business associates or any body that needs access to PHI or supplies data transmission services, offers a personal health record on behalf of a HIPAA-covered entity or is a subcontractor with access to PHI must also adhere with the Omnibus Rule.
The Omnibus Rule is a material change, and as such requires an update of the Notices of Privacy Protection by covered bodies. Healthcare organizations and other covered bodies have until Sept 23, 2013 to update NPP’s and put the new rules in place. After this date a failure to apply the changes will be deemed non-compliance and is likely to incur financial sanctions.