Breaking Down HIPAA Rules and Regulations: The Omnibus Rule

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2015/02/20/breaking-down-hipaa-rules-and-regulations-the-omnibus-rule/

As healthcare organizations continuously update their systems and implement
the latest tools to improve patient care, it is important for providers to
remain mindful of all HIPAA rules and regulations. Starting this week,
HealthITSecurity.com will dive deep into different aspects of HIPAA, and
explain how the legislation affects different players in the healthcare
industry. We will break down the HIPAA Privacy Rule, the HIPAA Security
Rule, and also explain any changes or adjustments that have recently taken
place.

Be sure to check back in regularly to ensure that you remain up-to-date
HIPAA and understand how it applies to your organization, employees, and
your facility’s policies and procedures.

The Omnibus Rule

We start this new review by looking at the HIPAA Omnibus Rule, which was
finalized in January 2013 and went into effect on March 26, 2013. The
update improved patient privacy protections, gave individuals new rights to
their health information, and also strengthened the government’s ability to
enforce the law.

Four final rules combine to make up the final Omnibus Rule:

- Final modifications were made to the HIPAA Privacy, Security, and
Enforcement Rules
- Changes were made to the HIPAA Enforcement Rule to incorporate the
increased and tiered civil money penalty structure provided by the HITECH
Act
- Changes were made on Breach Notification for Unsecured Protected Health
Information under the HITECH Act
- Final modifications were made to the HIPAA Privacy Rule as required by
the Genetic Information Nondiscrimination Act (GINA) to prohibit most
health plans from using or disclosing genetic information for underwriting
purposes

An important aspect of the Omnibus Rule was that there was a transition
period – covered entities and their business associates had time to make
necessary changes so that they could still fulfill their breach
requirements under the HITECH Act.

"…the provisions of section 13402(j) of the HITECH Act apply to breaches of
unsecured protected health information discovered on or after September 23,
2009, the date of the publication of the interim final rule. Thus, during
the 180 day period before compliance with this final rule is required,
covered entities and business associates are still required to comply with
the breach notification requirements under the HITECH Act and must continue
to comply with the requirements of the interim final rule."

Key changes from the Omnibus Rule

Another important change that took place because of the Omnibus rule was
that several aspects of health information were redefined. For example, the
definition of “electronic storage material” was changed to “electronic
media.” This was done to better accommodate any future changes and
developments of digital storage technology.

“Electronic storage material on which data is or may be recorded
electronically, including, for example, devices in computers (hard drives)
and any removable/transportable digital memory medium, such as magnetic
tape or disk, optical disk, or digital memory card,” the Rule states.

The definition of protected health information (PHI) also received a slight
modification. Essentially, the Omnibus Rule states that the Privacy Rule
does not trump “State or other laws that provide greater protection for
such information, or the professional responsibilities of mental health or
other providers.”

How HIPAA rules apply in certain territories were also clarified in the
final Rule:

State refers to one of the following:

(1) For a health plan established or regulated by Federal law, State has
the meaning set forth in the applicable section of the United States Code
for such health plan.

(2) For all other purposes, State means any of the several States, the
District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands,
Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands.

There were also key changes for the HIPAA rules in terms of how covered
entities and their business associates interact. Many of the requirements
to business associates were expanded. For example, the definition of a BA
was extended to include subcontractors working with BAs and Health
Information Organizations, e-prescribing gateway or any other entity that
touches or transmits PHI. Moreover, these organizations are liable for PHI
uses and disclosures and HIPAA Security Rule compliance.

Additionally, BAs must enter into business associate agreement with their
subcontractors, while BAs – not covered entities – are also now responsible
for responding to any noncompliant subcontractors. The chain of
responsibility must be documented. Essentially, any organization that
touches PHI needs to have a business associate agreement in place.

Better PHI protection

The Omnibus Rule was designed to further enhance the already existing HIPAA
rules and regulations. As technology changes, and covered entities and
their associated BAs implement new systems, the Omnibus Rule can now
account for that. There are many aspects of the new Rule and HIPAA that
covered entities need to thoroughly understand. Be sure to check in next
week to read more about HIPAA rules, the Omnibus Rule, and how they affect
your organization.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!