Are You Ready for the HIPAA Omnibus Rule September 23rd Deadline?

(Protection of personal health information takes on added importance)

A 2013 law change related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will become effective in just a few weeks, impacting parties who handle personal health information.  The rules are likely to affect some parties, such as subcontractors, who may not be aware such rules apply to them, and they are accompanied by some potentially severe penalties for noncompliance.  We encourage any of our readers who work in fields handling health records to become familiar with these new rules.

The Omnibus Rule was published in January 2013 as a part of the final modifications to HIPAA mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The rule is a modification of HIPAA’s previous requirements, and essentially changes the responsibility for compliance to HIPAA. It impacts the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The Omnibus Rule became effective on March 26th, 2013. Covered entities will have 180 days beyond the effective date to become compliant, giving the rule a compliance date of September 23, 2013.

Key changes made by the Omnibus Rule

  • Business associates are now directly liable for compliance with portions of the HIPAA Privacy and Security Rules, including the requirement to evaluate subcontractors.
  • The sale and the disclosure of personal health information (PHI) has been prohibited and restricted for marketing and/or fundraising purposes.
  • Individual rights to obtain electronic copies of their health information have been expanded and the disclosure of ePHI to health plans if service was paid in full by the individual is now restricted.
  • Individuals’ authorization requirements to facilitate research and disclosure of child immunization proof to schools have been modified, and access to descendent information has been enabled.
  • A tiered civil money penalty structure has been implemented; fines could be as great as $1.5 million for each identical type of violation.
  • The Breach Notification Rule’s “harm” threshold has been replaced with a more objective standard.

Covered entities routinely rely on business associates that create, receive, maintain, or transmit PHI. It is now clear that that business associates, including subcontractors such as brokers, consultants, and third party administrators, are directly liable for compliance with certain parts of the entire HIPAA Security and Privacy Rules.

Modifications to the HIPAA Enforcement Rule have significantly altered penalties for non-compliance. Changes to the rule include establishing four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts that increase the minimum penalty for each violation considerably. After September 23, 2013, complaints indicating violations of the Omnibus Rule will be formally investigated. The Omnibus Rule sets severe penalties where a covered entity fails to meet compliance due to “willful neglect.”

To avoid penalties for non-compliance due to “willful neglect,” covered entities should have, at a bare minimum, evidence of a good faith effort of compliance with the new Omnibus Rule. This includes updated policies and procedures and a Security Rule risk assessment. Covered entities should contact all business associates to review existing business agreements and conduct a gap analysis between their current policies and procedures and the new requirements stated by the Omnibus Rule by September 23rd, 2014.

If you have any questions, please contact Pat Morin or your BNN advisor at 1-800-244-7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.