Although it was announced in January, the HIPAA Omnibus Rule finally went into effect this past Monday. The rule is meant to strengthen privacy and security protections for health information established under HIPAA in 1996.
“Much has changed in health care since HIPAA was enacted over 15 years ago,” said HHS Secretary Kathleen Sebelius in the original omnibus press release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”
So while it’s difficult to read through a 126-page long rule, it’s also true that physicians who aren’t up to date on its stipulations run the risk of incurring financial penalties from the Office of Civil Rights. In fact, penalties for HIPAA violations can reach as high as $1.5 million per year for a single provider.
Naturally, Power Your Practice is trying to save you from such a daunting read. Below is a quick overview of some of the HIPAA Omnibus Rule’s most important changes.
Patients have increased access to PHI
Under the new omnibus rule, patients can now request their personal health information (PHI) in electronic format. The information must be provided to the extent it is readily producible by your practice.
Practices can charge cost-based fees to cover the cost of copying, but patients cannot be charged for searching for the records. A quality patient portal is the best way to make PHI readily available to patients, as patients can pull the necessary information on their own.
Business Associates have increased responsibility
Defined as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides service to, a covered entity,” Business Associates (BA) are now directly responsible for patient security. This means your practice can’t be held liable for a BA’s mistakes.
The catch is that each BA must be operating under a written agreement with your practice that includes language compliant with the new HIPAA Omnibus Rule. Agreements entered into prior to January 25, 2013, and not modified between March 25 and September 23, 2013, will count as compliant until September 22, 2014. Aside from those exceptions, agreements must be in compliance with the new omnibus rule.
Patients have increased domain over PHI
The new omnibus rule sets limits on how personal health information (PHI) is used for marketing purposes. Before you can market a third party service based on personal health information (PHI), or sell/provide access to this data for payment, you must get permission from each patient who’s PHI will be used.
Shift in breach notification standards
According to Healthcare Info Security, the standard for breach notification has shifted from assessing whether an incident is likely to cause some type of harm, to a more objective assumption that an incident is a reportable breach unless there is a low probability the data is compromised. This affects the way you have to think about possible security breaches.
Different rules for cash payment
Using cash to pay for treatment gives patients even more authority over their information. When patients pay using cash, they can now ask you not to share treatment details with their health plan. Not adhering to these requests can result in financial penalties.
There’s still a chance to adjust to the HIPAA Omnibus Rule if you haven’t had the time and/or energy. The OCR isn’t conducting any sort of Omnibus crackdown at this point, giving physicians time to get up to speed and become accustomed to the restrictions affecting them most. In other words, be prudent and make the adjustments now so you don’t have to worry about HIPAA penalties later.
Do you know what you need when setting up a new medical practice?