The HIPAA Omnibus Rule was published in the Federal Register on 25th January 2013, which is a composition of closely related four rules. It has modified the privacy and security rules for covered entities, including health plans, healthcare providers, and their business associates. The primary purpose of the Omnibus Rule was to implement the provisions of the Health Information Technology for Economic and Clinical Act (HITECH) to improve the privacy and security protections of health-related information established under HIPAA. With the HIPAA Omnibus Rule checklist, organizations can gauge how they stack up with their HIPAA practices.
See how well your organization is faring in terms of HIPAA practice:
Business associates: Liability and requirements
The HIPAA privacy and security rules are directly applicable to business associates of covered entities. Business associates are those entities that create, collect, and maintain or transmit Protected Health Information (PHI) on behalf of the covered entities, including contractors, sub-contractors, data storage firms, consultants, and health information organizations of the business associates. Like covered entities, business associates must apply the same policies, procedures, and safeguards, including the Security Rule, the Privacy Rule, and the Breach Notification Rule.
New Business Associates must be identified and agreements must be executed
If you are a covered entity, you are required to have a Business Associate Agreement (BAA) with your business associates before allowing them to use or disclose PHI. The Omnibus has expanded the meaning of business associates. Under this rule, entities that provide data transmission services and require access to information such as healthcare information organizations are also included. Business associates must identify and execute Business Associate Agreements with their subcontractors who create, obtain, maintain, or transmit PHI on behalf of them.
Review and Amend your Business Associate Agreements, if necessary
Covered entities and business associates must ensure that the elements required by 45 CFR § 164.314(a) and .504(e), are included in their existing and future agreements. In addition to the previous requirements, the agreement must include the following for business associates:
- Compliance with the Security Rule
- Execution of BAA with their subcontractors
- Compliance with any HIPAA rule applicable to such obligation, to the extent the business associate carries out on obligation of a covered entity
- Breaches of unsecured PHI must be reported to the covered entity
Updated Privacy Policies
According to the Omnibus Rule checklist, covered entities are required to update their policies for compliance. The following applies to the covered entities:
- Deceased Persons: Covered entities may now disclose PHI of a deceased person to the family members or others who were involved in the health care or payment before the person’s death.
- Patient Access to electronic information: covered entities must generally produce a form, if readily producible, when patients request to access their electronic information.
- Response to request for access: covered entities must generally respond within 30 days when a patient requests access to their electronic information
- Limited Disclosure to Insurers: If a patient requests non-disclosure, covered entities cannot disclose any information related to the patient’s care if (1) the insurer seeks information for payment or treatment purposes, (2) the patient or someone on the patient’s behalf paid for the treatment to which the information is applicable, and (3) the patient requests to restrict access of the information to the insurer.
- School Immunizations: Even if oral (1) the state law requires information for enrollment purposes, and (2) the patient or their personal representative gives consent to the disclosure, the covered entities are allowed to disclose information about immunizations to a school
- Sale of Information: to sell a patient’s information, covered entities must obtain written authorization from the patient.
- Marketing: to use a patient’s information for marketing purposes, the covered entities must obtain written authorization from the patient.
- Fundraising: included in the Omnibus Rule checklist, covered entities are now allowed to disclose more information to the institutionally related foundations to assist in fundraising. Although the fundraising communications are required to explain how the recipient may opt-out from receiving such communications, the opt-out method must be convenient.
- Research: if you are a covered entity and engaging in research, the new standards should be reviewed that apply to the research as described in 45 CFR § 164.508(b).
The Breach Notification Policy Update
Included in the HIPAA Omnibus Rule checklist, the standard for reporting breaches has been modified. Under the current standard, violation of the Privacy Rule is considered to be a reportable breach unless (1) based on the risk assessment of certain factors, the covered entity or the business associate can demonstrate that there is very low probability for the breach of information, or (2) within certain exceptions, the breach fits, for instance, demonstration that the data was encrypted.
Covered entities and business associates are required to train their staff members and employees on the HIPAA rules and regulations. This HIPAA Omnibus Rule checklist can assist you with the HIPAA rules and regulations.
Review the HIPAA Omnibus Rule checklist with HIPAA Ready
The HIPAA Omnibus Rule checklist may seem a daunting task to follow on your own. The Omnibus Rule also requires organizations to revise and disseminate Notice of Privacy Practices (NPP). The NPP is important for health plans that must notify their members that the plan is now prohibited from disclosing or using genetic information for underwriting purposes. HIPAA is a law that is continually updated for better compliance. With so many updates and changes, it can a challenge to update the policies already implemented in your practice. With HIPAA Ready, following the HIPAA Omnibus Rule checklist along with other HIPAA rules is streamlined and simple.
HIPAA Ready is a HIPAA compliance software where you can easily update, customize, and add policies that are required to comply with the rules and regulations of HIPAA. You can notify your staff members and employees about your existing policies as well as changes if needed. HIPAA Ready also includes effective training management information that is designed to ease your HIPAA compliance complexities. Whether the HIPAA Omnibus rule checklist or other rule’s checklist, HIPAA Ready is here to help you. Let HIPAA Ready help you with your compliance obligations. Please leave a comment if you have any queries.