The HIPAA Omnibus Rule (Health Insurance Portability and Accountability Act of 1996 Omnibus Rule) was drafted in July 2010; however the final release has been put off until this month some of the concerns raised by stakeholders about the latest HIPAA amendment can be properly addressed.
The final rule has been held by the Office of Management and Budget since March 2012 although the final release has now been released. All HIPAA-covered bodies – and their business associates – must read the new rule and make changes to existing policies and procedures and factor in the new changes. Healthcare organizations have 180 days in order to introduce the changes as the Final Rule will not be applicable until Sept 22, 2013.
The new rule has been passed to bring HIPAA in line with HITECH, and was introduced by the U.S. Department of Health and Human Services’ Office of Civil Rights to include the use of Health Information Technology (HIT) and ensure that patient health information is properly secured. The final rule represents a major amendment to the legislation and is the most extensive change to be passed since HIPPA came into effect in 1996.
The Final Rule is 563-pages long; although the major points covered in the amendment – in terms of HIT – are listed below:
- A person’s Personal Health Information should be properly secured and policies have been introduced to enhance security and privacy protection
- There is now a requirement for Business Associates and their subcontractors to be HIPAA compliant and meet the same standards as covered bodies
- The new rule does not allow the sale of PHI without prior permission being obtained and restrictions have been placed on the of the use of health data for marketing reasons
- Patients are able to stop their health plan providers from being informed about services paid for in cash
- Further modifications have been made to the Privacy Rule to cover the possible use of genetic information
- Changes to Breach Notification Rules brings in a new standard for the assessment of the liability of a healthcare organization following a data breach
- The OCR’s strategy for enforcing HIPAA regulations has been explicitly stated
- Changes have been made to make it simpler for parents to share-proof a child’s immunization with their school
- It will be easier for people to permit the use of their personal health information for research purposes
- The new rule introduces stiff sanctions for non-compliance and data violations based on the degree to which the body in question is liable, with a maximum fine of up to 1.5 million per violation