The Health Insurance Portability and Accountability Act (HIPAA) will be 17 years old August 21st. This law was enacted among other reason for the protection of patient’s protected health information (PHI). In 2010, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed into law to amend the original rules especially in the area of civil monetary penalties. It also encouraged the use of electronic record keeping. This brings us to 2013 and the enactment of Omnibus regulations and rules to implement and clarify the requirements of the HITECH act. Omnibus brought about changes to both the Security and Privacy Sections of HIPAA.
The complete text of Omnibus is over 500 pages in length and impossible to summarize in a short article. But here are some highlights to help you decide whether or not you need to take a closer look. If so, a complete risk assessment is suggested to help identify gaps in your compliancy.
First, you will want to understand what is being protected? PHI is made up of eighteen categories of information that includes but is not limited to names, phone numbers, email addresses, social security numbers and a number of medical identifiers. It’s a good idea to review the entire list and see if your business or contractors touch any of this information belonging to your customers or employees.
Who is affected? There are two groups involved. The first is the covered entities which are healthcare providers, health plans and clearinghouses. If you’re one of these you are probably already aware of the rulings. The second, Business Associates (BA) are those who interface with the covered entities and may have access to their PHI data. Some of these activities may include claims processing, data analysis, billing and legal services, consulting, administrative services and technology support.
How does Omnibus affect the business associates? There are a number of areas that have been added or revised. For example, the BA is now directly liable for use and disclosure of information that violates the HIPAA Privacy rules such as breaches to the business associate agreements. They are also required to have agreements in place with their sub-contractors to ensure the protection of PHI.
What other areas are affected? There are many including marketing communications, authorizations, student and other disclosures. The list goes on and this is by no means meant to be an all inclusive of the application of the Omnibus rule. What could be biggest motivator to ensure compliancy is the increase and occurrences of fines for each reported breech. Additionally the state attorney generals have been empowered to enforce and collect these fines.
The U.S. Department of Health & Human Services, HHS.gov is an excellent location to start your research. There are also a number of books available to help with your understand. Just be sure to get the latest updates which address the 2013 Omnibus Rule changes.
Ted Saul is a business coach that assists with Business Plans and Project Management. He holds a master certificate in project management and has earned his MBA from Regis University. Ted can be reached on LinkedIn, TWS787 on Twitter or emailing Ted@tsaul.com