The Path to Omnibus Compliance: One Year Wiser
What’s New? Focus on Business Associates
The new rule expands the definition of a business associate (BA). According to that definition, BAs now include entities that “maintain” private health information (PHI), in addition to those that create, receive or transmit PHI.
The new definition casts an even wider net, encompassing the subcontractors of BAs who work with PHI. An additional layer of bureaucracy is to be expected since BAs must now enter into business associate agreements (BAAs) with subcontractors.
Furthermore, for the first time BAs are directly liable for HIPAA compliance. They must report any breach of unsecured PHI to CEs and they are statutorily liable for violations and breaches for which they were responsible. BAs are subject to the same HIPAA privacy restrictions as covered entities (CEs). This implies that BAs create and implement privacy and security policies and procedures, just like CEs. BAs will also be subject to compliance reviews courtesy of HHS.
New Penalties. New Restrictions.
HHS will now consider a variety of factors when determining the penalty for HIPAA violations. They’ll now weigh such factors as the number of individuals affected by the violation and whether the violation damaged an individual’s reputation.
The new final rule offers CEs the opportunity to rebut the presumption that PHI has been acquired, accessed, used or disclosed in a manner that violates the HIPAA privacy rule—if it can prove that there was a very low probability that the PHI was compromised based on a risk assessment of the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
Omnibus clamps down on the use of PHI in sales, marketing and fundraising efforts, unless the sale of PHI falls under an exception in the rules, such as to disclose information for the purpose of improving public health, research, treatment or merger/corporate sales. Also, health plans may no longer use or disclose genetic information for purposes of underwriting (with the exception of long-term care plans).
The new rule does ease disclosures to schools about proof of immunization, if certain
conditions are met. HIPAA authorization won’t be required in the transfer of this information. A few new patient rights governing information access were also included in the Omnibus rule.
New Patient Rights
The new HIPAA Omnibus gives patients new rights. CEs must agree to restrict disclosure of an individual’s PHI to a health plan if the PHI relates to an item or service that was paid for in full by someone other than the health plan. Additionally, CEs must provide access to PHI in electronic form, if requested by an individual, and if the PHI is reproducible in electronic format. Lastly, covered entities must, if requested in writing by an individual, provide a copy of PHI directly to another person designated by the requesting individual.
The new rule also broadens the definition of “family member.” It now includes provisions for relatives by affinity and not just biological relatives. This expanded definition comes into play when requests for disclosures take place after the subject of the PHI is deceased. And if you had been concerned that your PHI might be made public after your death, the new rule requires HIPAA compliance for private information for 50 years following an individual’s death.
Raise the Red Flag!
So, the changes are not monumental, like those we experienced at the announcement of the HITECH Act, but achieving full compliance requires a concerted effort within many departments of your organization. First and foremost, organizations should develop a system for flagging at-risk data within their electronic health records (EHRs) so that they may monitor PHI as it flows through the organization’s digital network. Pay particularly close attention to systems that directly generate billing.
Mind the Gap(s)!
After becoming intimately acquainted with the new HIPAA Omnibus and OCR guidelines, identify your own gaps to compliance. Determine where your organization is most likely to fail, determine the number of potential occurrences of breaches, and calculate the risk to your organization based on potential fines. Stay cognizant that if gaps remain unaddressed, these could be categorized as “willful disregard,” and heavier fines may be assessed.
Take careful notes! Documentation of each step of this process benefits you in two ways. It creates a “punch list” of adjustments and enhancements for your organization that will ultimately improve your compliance readiness. And second, in the event of a breach, you’ll be prepared to prove that your organization was actively working toward compliance, which could reduce the severity of your penalty.
Update Policies and Procedures
It’s one thing to know and understand the HIPAA Omnibus rules, but remember—the details of the new privacy and security mandate need to be communicated to all stakeholders. Update all written privacy policies and procedures per the new rule. The process of publishing the Notice of Privacy Practices (NPP) will “etch in stone” your organization’s commitment to compliance, and the newly published pieces will serve as ideal study guides for all employees responsible for protecting PHI in your organization. Workforce members should receive training on all new and revised policies.
Don’t underestimate the importance of training. In particular, management and higher-level employees should be fully trained on the new breach standard so that, if necessary, they can correctly perform the required analysis. Training is important both as a preventative measure and to ensure compliance with HIPAA and the HITECH Act. Training should be documented and maintained in the event training logs and program details are requested during an audit or investigation.
Assessing the Situation
You will want to document, in outline form, best practices is assessing and measuring your ongoing compliance efforts. First, an organization must decide if the risk assessment process will be completed by an external or internal effort. If external, the group should be vetted for legitimacy, as well as their comprehension of privacy and security rules. The resulting assessment should then be provided to the internal group for analysis and prioritization of next steps.
If the organization elects to perform an internal assessment, the rules/regulations to be reviewed, as well as the company culture toward compliance, should be assessed. Regardless of who performs the assessment, they must be capable of providing an unbiased risk study. Steps in this process should include:
- Determine the scope of the assessment with the compliance committee and/or governing board of authority.
- Identify the stakeholders needed to provide information.
- Determine the sequence of involvement of the identified stakeholders.
- Determine how information will be collected (via survey, questionnaires, interviews, etc.).
- Gather the data.
Once the process has been completed, the report should be presented to the executive members of the compliance team so that they may fully understand the organization’s risk picture. This group would then analyze potential threats, vulnerabilities and/or risks and prioritize them in an agreed upon ranking methodology. The ranking methodology should include the likelihood of threat/risk occurrence and the potential impact of that occurrence.
After risks have been analyzed and ranked, controls should be put into place for the purpose of monitoring and mitigating risk. This is an ongoing report and review process that will ensure the effectiveness of your compliance/mitigation efforts.
When All Is Said and Done
The path has been long, circuitous and more than a bit confusing. Your path to HIPAA Omnibus compliance starts with gaining a thorough knowledge of the revised rules. Use that as your guide as you assess your organization’s compliance preparedness. Identify your own vulnerabilities, and move toward correcting them before compliance becomes more of a mitigation effort. Take careful notes, identify best practices and share your knowledge with your staff. The path may be long, with lots of switchbacks, but your final destination will be worth the effort.
About the Author:
Rita Bowen, MA, RHIA, CHPS, SSGB, is Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.