Highlights for Compliance: HIPAA Omnibus for CEs and BAs
Time is growing short! Here are some highlights from the Omnibus final rule covered entities and business associates should be mindful of to ensure compliance by Sept. 23, 2013.
Healthcare Compliance Pros provides training for your practice in all of the following areas for compliance.
- The final rule expands patient rights by allowing them to ask for a copy of their electronic medical record in electronic form.
- Under the final rule, when patients pay out of pocket in full, they can instruct their provider to refrain from sharing information about their treatment with their health plan.
- If a Medicare beneficiary requests a restriction on the disclosure of PHI to Medicare for a covered service and pays out of pocket for the service, the provider must also restrict the disclosure of PHI regarding the service to Medicare.
- The final rule sets new limits on how information can be used and disclosed for marketing and fundraising purposes, and it prohibits the sale of an individualsâ€™ health information without their permission.
- Penalties for noncompliance with the final rule are based on the level of negligence with a maximum penalty of $1.5 million per violation.
- The breach notification final rule was amended with a requirement to determine the breachâ€™s â€śrisk of compromiseâ€ť rather than harm. â€śCompromiseâ€ť was considered a more objective test than harm. Thus, breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates a low probability that the PHI has been compromised.
- To determine whether there is a low probability that PHI has been compromised the covered entity or business associate must conduct a risk assessment that considers at least each of the following factors: (a) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (b) The unauthorized person who used the PHI or to whom the disclosure was made; (c) Whether the PHI was actually acquired or viewed; and (d) The extent to which the risk to the PHI has been mitigated.
- The final rule changed what incidents are exceptions to the definition of â€śbreach.â€ť Before, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain any birthdates or ZIP codes. Under the final rule, breaches of limited data sets â€" regardless of their content â€" must be handled like all other breaches of PHI.
- Providers and covered entities still have a safe harbor, in which an unauthorized disclosure only rises to the level of a breach â€"â€" thereby triggering notification requirements of the HITECH Act â€" if the PHI disclosed is â€śunsecuredâ€ť (unencrypted).
- Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the secretary throughÂ published guidance.
- Requirements for methods of breach notification remain unchanged. That is, providers and covered entities most provide notice to individuals, the media (if breach affects more than 500 residents of a state or smaller jurisdiction) and HHS (if breach affects more than 500 individuals regardless of location). Business associates, or people or organizations that conduct business with the covered entity that involves the use or disclosure of individually identifiable health information, must also provide notice to covered entities no later than 60 days after the discovery of a breach of unsecured PHI.
- Covered entitiesâ€™ Notice of Privacy Practices forms need to inform patients that they will be notified if their PHI is subject to a breach. NPPs must also inform individuals that a covered entity may contact them to raise funds, and the individual has a right to opt out of receiving such communications.
- Business associate agreements and policies and procedures must address the prohibition on the sale of patientsâ€™ PHI without permission.
- Covered entities must modify and implement policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities.
- Covered entitiesâ€™ business associate agreements and policies and procedures must address the expanded rights of individuals to restrict disclosures of PHI.