HIPAA Omnibus Confusion
Thereâ€™s still plenty of confusion about compliance with theÂ HIPAA Omnibus Rule, and HIPAA in general. Hereâ€™s a sampling of critical issues to be aware of in your practice.
Many providers are reluctant, or inconsistent, in disclosing patient information to other providers, even when the information is needed for immediate treatment of patients. They often cite HIPAA as the reason they canâ€™t disclose patient information. They also cite fears about lawsuits or federal penalties for HIPAA violations.
Disclosures of protected health information for treatment, payment and operations have always been permitted under HIPAA. If a compliance issue were to arise, OCR would be unlikely to issue financial penalties for inappropriate disclosures related to treatment. Instead, it would most likely issue a â€ścorrective actionâ€ť if there was some sort of problem as long as it wasnâ€™t part of an ongoing, â€śegregiousâ€ť pattern of inappropriate disclosures.
The HIPAA Omnibus Rule, which will be enforced beginning Sept. 23, makes it clear that business associates and their subcontractors that receive, create, transmit or maintain protected health information are now directly responsible for HIPAA compliance.
Another business associate theme that OCR emphasizes is that itâ€™s not the degree of access to PHI but the persistence of custody that should be considered when trying to decipher if aÂ cloudÂ vendor, for instance, is a business associate under HIPAA Omnibus.
OCR officials stress that HIPAA is a floor, not a ceiling. Itâ€™s a valve, not a blockage. And they caution healthcare organizations not to let security trump patient preference. So what does that all mean?
Clearly, an organization can doÂ moreÂ than whatâ€™s required under HIPAA in terms of safeguarding health information. Similarly, states can issue privacy laws that are even stricter than HIPAAÂ Â and many have.
HIPAA isnâ€™t meant to block PHI disclosures that are necessary for the well-being of patients. That gets to the heart of the issue of sharing information with other providers and even disclosing information to patients.
HIPAA has been misinterpreted by some healthcare providers to the point where they believe it prevents the release of important information for the treatment of patients. Thereâ€™s also confusion among mental health professionals about whether they can (yes they should) contact law enforcement officials about patients who pose an immediate danger to themselves or others.
Finally, while HIPAAâ€™s Security Rule has prompted more organizations to deploy technical safeguards, such as encryption, to protect data, patients can still request that their electronic communications with healthcare providers, such as appointment reminders, be conducted via unsecure emailÂ or texting. Whatever you do to comply with the Security rule, you need to be flexible to support theÂ Privacy rule and patient preferences. If patients prefer unencrypted e-mails, thatâ€™s permissible. Just warn them of the risks.
So, when it comes to complying with the HIPAA privacy and security rules, as well as the modifications in HIPAA Omnibus, itâ€™s important to understand the nuances and avoid misinterpretations.