The HIPAA Omnibus Rule was passed in March this year, although the OCR gave covered bodies a grace period in which to bring their organizations strategies and procedures up to date with the new regulations.
The Omnibus Rule amended HIPAA to cover Business Associates of covered bodies – and their subcontractors – with the 6-month grace period put in place to give these newly covered organizations time to become compliant. That grace period elapsed today and the Omnibus Rule is now enforceable, with the OCR able to issue fines for any non-compliance issues it now finds.
The Omnibus Rule adds a number of security controls to ensure that private medical records are properly secured, including new restrictions on who is able to access them. Breach Notification Rules have been updated and now presume that any unauthorized access of PHI is a reportable violation, and not just those which pose a significant danger. Possible victims – as well as the OCR – must be warned about of the breach within 60 days of it being identified.
Any security breach must be now reviewed to decide if it is reportable using the following four criteria: The nature of the data exposed, the unauthorized individual who accessed – or could possibly access – the data, whether the PHI was acquired and/or viewed and the extent to which the organization has been able to minimize any damage inflicted. Prior to the passing of the new final rule, there must have been a risk of harm before a breach was reportable whereas now the breach must be reported unless it can be established and proven that the risk of data being compromised is small.
The requirement for violation reporting under past legislation was dictated by the extent of information which was exposed. In the past, personal data such as dates or birth and Social Security numbers must have been exposed for notifications to be issued, whereas now, even the exposure of limited data with no dates of birth or Social Security numbers must be dealt with as a full data breach.
Notices of Privacy Practices must be refreshed under the new rule, which requires people to be informed about how they will be contacted by the covered body and under what circumstances and they should now be permitted to opt out of receiving correspondence. The use of Protected Health Information has also been limited and cannot be used for marketing reasons, while the sale of PHI has been prohibited.
Other amendments serve to increase patient rights to access their health information and limits to whom their information can be given to. Patients can ask that Medicare is not advised of any medical services that have been received and paid for in full by the patient, and similarly a request can be submitted to a healthcare provider not to disclose details of medical treatments to their health plan if they have been paid for in full by the patient out of their own pockets.
Prior to the passing of the new rule, Business Associates of covered bodies could not be held responsible for HIPAA violations and neither could their covered body if it could be established that they were unaware of any pattern or practice that breached their business agreement (provided they have complied with HIPAA Privacy and Security Rules). The Omnibus Rule takes away this exception and Business Associates can be held liable for non-compliance issues and data breaches, provided they acted in the capacity of an agent of the covered entity.
The OCR will now be enforcing the Omnibus Rule, although it is not expected to issue any financial sanctions immediately; however fines of up to $1.5 million per violation can be issued by the OCR for non-compliance occurrences. It is therefore important that all covered bodies which have not yet put in place the changes mandated by the Omnibus Rule do so immediately and check their Business Associate agreements to ensure that they have been brought up to date to take the Omnibus changes into account.