9. What is the Final Omnibus Ruling of January 2013 for purposes of HIPAA?
Answer: The Final Omnibus Ruling of January, 2013 was meaningful in many ways for HIPAA compliance, most notably in that it significantly enhanced reporting requirements and overall responsibilities for Covered Entities and Business Associates, along with creating clarity and transparency on the overall topic of HIPAA compliance. It essentially was a pronouncement that gave healthcare organizations a “wake-up” call, ultimately telling them that HIPAA compliance was serious, and enforcement – once and for all – was real, very real. Call it a “game changer” if you will, as it brought about some very significant enhancements to the Health Insurance Portability and Accountability Act (HIPAA).
- Gives patients even more rights by allowing them to request their electronic medical records in actual “electronic” form.
- Puts in place new limits and restrictions on how information can be used and disclosed for marketing and fundraising purposes, while also prohibiting the sale of an individuals' health information without their permission.
- Penalties for noncompliance are now based on the level of negligence, with a maximum penalty of $1.5 million per violation.
- The breach notification final rule was also amended with a stipulation to actually determine the breach's overall "risk of compromise" rather than harm itself. Simply stated, the notion of “comprise”, as opposed to “harm”, was considered a more objective rand realistic test. As a result of this, an actual breach notification is necessary in all situations except those in which Covered Entities (CE) and Business Associates (BA) demonstrate a low probability that Protected Health Information (PHI) has actually been compromised.
- Both Covered Entities (CE) and Business Associates (BA) need to undertake a comprehensive risk analysis – a risk assessment, that is, on an annual basis. This alone can be an incredibly time-consuming task.
- Changes were made regarding what "incidents" are to be considered "exceptions" to the definition of "breach." Prior to the Final Omnibus Ruling, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain any birthdates or ZIP codes. Now, under the final rule, breaches of limited data sets — regardless of what the content is — are to be handled like all other breaches of PHI.
- Providers and Covered Entities (CE) still have a safe harbor whereby an unauthorized disclosure only rises to the level of a breach — and triggering notification requirements via the HITECH Act — if the PHI disclosed is "unsecured." Remember that unsecured PHI is essentially PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Department of Health and Human Resources (HHS). (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.htm)
- Policies and Procedures, for both Covered Entities (CE) and Business Associates (BA) have received considerable attention under the Final Omnibus Ruling in that they must now be much more comprehensive, expansive, and up-to-date on the many new HIPAA changes.
Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.