HIPAA Final Omnibus Rule, 2013 | Ruling | Overview for Covered Entities & Business Associates

In January, 2013, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released its final regulations containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Final Omnibus Ruling), which paved the way for dramatic changes to HIPAA, particularly to the Privacy and Security Rules. In the past, HIPAA compliance was lacking any real regulatory compliance “teeth” - a law that simply advocated voluntary compliance.

HIPAA Compliance is Mandatory | Download Policies and Get Compliant
Fast-forward to 2013 and what’s now in place are real and severe penalties, along with enhanced compliance requirements for covered entities, business associates, and other related parties. Notable points worth mentioning for purpose of HIPAA Security Awareness and Workforce Training are the following:

  • Penalties that range from $100 to $50,000 per violation, depending on the level of culpability, with a $1.5 million cap per calendar year for multiple violations of identical provisions, and criminal penalties of up to 10 years in prison.
  • Significantly changes the breach notification analysis with a four (4) point process to test and ultimately determine whether or not protected health information (PHI) has been compromised, thus requiring breach notification.
  • Regarding marketing, the final rule requires authorization for all treatment and health care operations communications whereby the covered entity receives financial remuneration from the third party whose products or services are being marketed, though there still are exceptions.
  • Streamlined authorization requirements for the use of individuals’ PHI for research purposes.
  • Clarified that while business associates are not subject to all requirements of the Privacy Rule, they are to:
    • Comply with the terms of a business associate agreement related to the use and disclosure of PHI;
    • Provide PHI to the Secretary upon demand;
    • Provide an electronic copy of PHI available to an individual (or covered entity) related to an individual’s request for an electronic copy of PHI;
    • Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request; and
    • Enter into business associate agreements with subcontractors that create or receive PHI on their behalf.

Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.