HIPAA Omnibus Rule Changes – What You Don’t Know Can Hurt Your Business

by | Aug 2, 2013 | Blog

  • Amy Letke

    Amy Newbanks Letke, SPHR, GPHR, is the Founder of Integrity HR, Inc. Amy provides workplace solutions to improve performance, reduce liability and increase profits. She is passionate about helping other entrepreneurs and business owners achieve success. Contact us for more insights - 502-753-0970 or info@integrityhr.com

I don’t know about you, but every day there seems to be another “change” businesses have to deal with.

Form I-9 changes. Health Care Reform changes. Throw in some personnel changes and you’ve got yourself quite the HR headache.

In all the Health Care Reform hustle and bustle, you may have overlooked (or accidentally deleted) information about the HIPAA Omnibus Rule changes.

Maybe you put that information into one of those nifty Google email filters, figuring you’d get to that later. Well, we want to bring that information out of that black hole because what you don’t know can hurt your business!

While the HIPAA Omnibus Rule was finalized back in January and made effective in March, companies must be in compliance by September 23 (which will be upon us before we know it!)

So it’s time to talk about it and more importantly, it’s time to get your house in order so you stay compliant and out of trouble.

Let’s get started.

Here’s what you need to know now:

The U.S. Department of Health and Human Services strengthened the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). (I apologize in advance for all the acronyms.)

The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

New Requirements for Business Associates

Previously, HIPAA regulations generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants.

Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains or transmits” personal health information.

The key addition in this part of the regulation is to be found in the word ‘maintains,’ because any entity that ‘maintains’ protected health information on behalf of a covered entity—even if no access to that information is required or expected—will be a business associate.

Under the Final Rule, business associates are directly liable for the following Privacy Rule requirements as well as that of their subcontractors, even if they never entered into a business associate agreement:

  • Impermissible uses and disclosures of protected health information;
  • Failure to enter into a business associate agreements with subcontractors;
  • Failure to provide breach notification to the covered entity;
  • Failure to provide access to a copy of electronic protected health information to either the covered entity or the owner of the data and;
  • Failure to disclose protected health information when required by the US. Department of Human and Health Services; and failure to provide an accounting of disclosures of protected health information upon request.

Under the new rule, penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. Yikes!

Under the previous rules, an impermissible use or disclosure of protected health information—including electronic—was a breach only if it posed a significant risk of harm to the individual.

The U.S Department of Human and Health Services included in the new rules a presumption that any impermissible use or disclosure of protected health information is a breach, subject to breach-notification rules.

The only way to get out of this presumption is by a demonstration that there is a low probability that the protected health information was compromised.

To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors—at a minimum:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the protected health information or to whom the disclosure was made.
  • Whether the protected health information was actually acquired or viewed.
  • The extent to which the risk to protected health information has been mitigated.

The US Department of Human and Services has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that protected health information has been compromised, then breach notification is required.

Here are some more important parts of the final rule.

The HIPAA Omnibus Rule:

  • extends the requirements of the privacy and security rules to physicians’ business associates (remember, a business associate is a vendor who “creates, receives, maintains or transmits” protected health information) and their subcontractors;
  • establishes new limitations on the use of protected health information for marketing and fundraising purposes;
  • prohibits the sale of a patient’s protected health information without specific individual authorization to do so;
  • expands patients’ rights to request and receive electronic copies of their protected health information; and
  • broadens patients’ ability to restrict, in some instances, disclosure of their protected health information to health insurance plans.
  • The rule also requires covered entities to modify and redistribute their individual notice of privacy practices.

Here’s what you need to do now:

Whew! Is your head spinning? That is a lot of information to take in. So we’re going to try to make the next part as simple as possible.

The US Department of Human and Health Services is going to step up its security to make sure businesses are following the Final Rule. To protect your business, employers should review and revise their business associate agreements to ensure compliance with the security rule, paying special attention to the inclusion of subcontractor.

Also, employers should review and revise their breach notification procedures that detail how a risk assessment will be conducted.

Lastly, it is equally important to train employees who have access to protected health information on these updated policies and procedures.

Get your house in order now so that you do not become the subject of a very messy audit followed by very expensive fines.

Bonus: Best Practices To Stay Compliant With HIPAA

Normally, an employer will only deal with entities covered by HIPAA, not actually be one. However, if an employer has any kind of health clinic operations available to employees, or provides a self-insured health plan for employees, or acts as the intermediary between its employees and health care providers, it will find itself handling the kind of personal health information that is protected by the HIPAA privacy rule. The latter is typically where employers fall. So here are some best practices to stay compliant with HIPAA.

Scenario: A manager passes around a get-well card for a team member who is absent and tells everyone they are having an operation and gives details…(i.e. “she is having a cyst removed from her ovary”). This would be a potential violation because the supervisor should not share this information.

Best Practice: The employee is the only person who should share and the supervisor should simply say the employee is out on leave.

Scenario: A company fails to have HIPAA training in place for staff that handles PHI; a staff member who handles benefit documents inadvertently discloses information about an employee to another employee. The company can be held liable for not training staff who handle protected health information about HIPAA.

Best Practice: A company must be accurate in determining who needs HIPAA training, and in determining what training is necessary. An HR Administrator who files employee insurance applications is not going to need the same depth and breadth of training as the Practice Administrator of a medical clinic.

Scenario: A company fails to secure documents with protected health information on them in a computer or physical file cabinet.

Best Practice: A company must secure document with protected health information on them. Only those with proper training should be able to access these documents.

If you want to make sure all aspects of HR in your organization is in order, we suggest taking our free, online HR compliance review. Fill out the form below to get one step closer to reducing your risk, increasing productivity, and gaining a peace of mind!

Download The Free HR Compliance Review Below:

Download Our FREE Resources

A list of our useful HR resources