Regulations are always evolving, and the Health Insurance Portability and Accountability Act is no exception.
In 2013, the Department for Health and Human Services added a new set of HIPAA requirements with the Omnibus Rule. But what does this rule require and how should organizations respond? This article explains everything you need to know to become HIPAA-compliant.
What is the HIPAA Omnibus Rule?
The HHS published the HIPAA Omnibus Rule in 2013. HHS published the rule as an addition to HIPAA to plug gaps and respond to technological changes. The Omnibus Final Rule aims to:
- Provide more robust protections for individual privacy
- Enhance security of Protected Health Information (ePHI)
- Make Business Associates liable for HIPAA breaches
- Protect private genetic information in line with the Genetic Information Nondiscrimination Act (GINA)
- Make the Breach Notification Act more effective
- Improve economic and clinical health outcomes
The HIPAA Omnibus Final Rule has changed how Covered Entities and Business Associates operate. All bodies regulated by HIPAA should know the rule’s requirements. And they should take action to ensure compliance.
The new rule covers health plans, clinical providers, and healthcare clearinghouses. Business Associates like app developers and IT support businesses must also be HIPAA-compliant.
This article will explain what the Omnibus Rule requires. We will provide the guidance needed to meet regulatory responsibilities under HIPAA.
What led to the passing of the Omnibus Rule?
HIPAA rules came into force in 2003. But the regulations did not stand still. The healthcare industry also changed rapidly, making older privacy measures less effective.
The early 2000s saw advances in data gathering and analysis. Healthcare companies started to work with third-party data specialists to deliver patient services. Data gathering created new care delivery opportunities. But it also meant that uncovered entities handled more ePHI.
The healthcare industry also moved from paper records to health information technology. But it did not do so evenly. Technological change left some organizations behind. Insurers and providers also used different Electronic Health Record (EHR) formats.
In 2009, Congress passed the HITECH Act to remedy these problems.
The HITECH Act extended the definition of a Business Associate. The Act brought many new entities under the HIPAA umbrella. It increased penalties for HIPAA violations while strengthening privacy protections. It added new restrictions on the use of ePHI in marketing activities. The HITECH Act encouraged the adoption of standardized health information technology.
Legislators changed breach notification rules to detect data breach violations. And they passed the Genetic Information Nondiscrimination Act. This legislation seeks to end discrimination based on genetic data.
These new enforcement rules made HIPAA much more complex. Extra complexity created compliance issues for covered entities. And it also led to confusion about how providers and health plans should protect patient privacy.
The Department for Health and Human Services published the rule to rationalize HITECH enforcement rules. HHS sought to simplify HIPAA compliance. It also sought to balance economic and clinical health. The Omnibus Rule seeks to reduce costs for providers. And it aims to guard patient data more effectively.
Key provisions of the HIPAA Omnibus Rule
Provisions of the HIPAA Omnibus Rule include:
- Better patient access and greater control over how organizations use PHI
- Tightened restrictions on marketing health information
- Easier research consent processes for academic studies
- Streamlined breach notification rules and risk assessment guidelines
- Controls on the use of genetic information by insurers
- Accountability for business associates and sub-contractors
- Higher caps for compliance violations
- Requiring the use of EHR to improve health insurance portability
HIPAA Omnibus Rule and Business Associates and Subcontractors
Under the Omnibus Rule, Business Associates and covered entities have similar compliance responsibilities. Business Associates must follow the HIPAA Security Rule and Breach Notification procedures. Many aspects of HIPAA’s Privacy Rule also apply.
Business Associates are directly liable for compliance violations. They must follow the HIPAA Privacy Rule, the Security Rule, and the Breach Notification Rule. Liability applies to organizations that contract with covered entities. And it also extends to sub-contractors who handle or store health information.
The Omnibus Rule makes watertight Business Associate Agreements (BAAs) crucial. These contracts establish the responsibilities of associates under HIPAA. They extend privacy and security protections. And they cover all organizations in the healthcare supply chain.
New changes in the HIPAA omnibus rules
Patient access and control
The Omnibus Rule gives patients greater rights over how organizations use health information. Individuals can request electronic copies of their Protected Health Information. Not providing this information is now counted as a critical compliance failure.
The rule also changed regulations about the disclosure of ePHI. Covered entities must follow patient requests not to disclose PHI to health plans. This rule only applies if patients have paid in full for healthcare services.
Breach notification
Before, notifications covered breaches involving a “risk of harm” to over 500 individuals. The Omnibus Rule changed this rule.
Under the new rule, covered entities must always presume that a breach has occurred. The number of records affected is irrelevant. Organizations must prove that security incidents did not compromise patient privacy. Otherwise, they must submit a breach notice.
For example, an employee may provide an outsider with access to health data. But the covered entity can prove that they encrypted any exposed PHI.
The Omnibus Rule introduced a new four-stage risk assessment process. This process streamlines incident responses. Covered entities can determine whether they must notify individuals and regulators. And they can take swift action to restrict disclosure in the future.
Selling PHI
HIPAA-compliant organizations must get written consent from individuals before selling health data. Individuals can also prohibit the sale of their personal health information. Organizations may sell ePHI with consent. But they must explain this in their Notice of Privacy Practices.
Marketing restrictions
The Omnibus Rule requires consent to use personal health information in marketing operations. Providers cannot provide patient details to device manufacturers or pharmaceutical companies without authorization. Organizations cannot receive third-party payments for supplying health information.
Genetic information
The Omnibus Rule brings GINA Act requirements into HIPAA regulations. A health plan cannot use genetic information when making decisions about coverage. Covered entities must get consent from individuals before using genetic data.
Regulatory fines
The Omnibus Rule introduced a four-tiered system of penalties. When deciding penalties, the Office for Civil Rights (OCR) must take into account:
- The number of affected individuals
- How long the HIPAA compliance violation lasted
- The severity of the violation with regard to patient safety and privacy
HIPAA now caps annual penalties at $1.5 million for each type of violation. This significantly increased the largest penalty. However, the Omnibus Rule does not seek to maximize income from regulatory fines.
The OCR may waive fines if covered entities respond proactively. Regulators also assess penalties on a case-by-case basis. The Office for Civil Rights avoids penalizing smaller healthcare companies if possible.
Compliance and implementation steps
Compliance with the Omnibus Rule is mandatory for covered entities and Business Associates. Follow these steps to become fully HIPAA-compliant:
1. Assess security and privacy practices
Change consent processes to reflect the requirements of the Omnibus Rule. Put in place patient education policies that inform individuals about their rights.
2. Check Business Associate Agreements
Business Associate Agreements should require associates to follow the HIPAA Security Rule. And they should cover relevant privacy rules. Assess supply chains to ensure that sub-contractors follow HIPAA regulations.
3. Audit associates and sub-contractors
Include Omnibus Rule compliance in contract monitoring procedures.
4. Update risk assessment policies
Put in place a four-step risk assessment for PHI exposure. Amend notification policies to follow new HIPAA guidelines.
5. Train employees to follow the Omnibus Rule
Put in place tighter breach detection guidelines. Educate employees and associates about privacy requirements.
6. Audit marketing agreements
Revisit marketing agreements with third parties. End non-compliant collaborations. Risk assess all marketing operations to identify compliance risks.
Update HIPAA compliance to follow the Omnibus Rule
The HIPAA Omnibus Rule imposes new duties on covered entities and associates. Organizations must educate patients about consenting to data sharing and accessing patient records. They must update associate agreements and marketing practices. And organizations should improve their breach response processes to avoid regulatory fines.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.