In this article, we discuss what the HIPAA Omnibus Rule is and how it relates to HIPAA and HITECH.
The federal government is getting aggressive when it comes to HIPAA penalties. The numbers for 2019 have not yet been tallied, but the fines in 2018 set records—with Anthem receiving the largest ever at $16 million and several seven-figure fines also being levied.
This trend has been growing since the release of one of the more recent set of rules that healthcare organizations need to consider—the HIPAA Omnibus Rule, which went into effect in 2013. It essentially merges HIPAA and HITECH into one rule and modifies rules pertaining to the enforcement of privacy, security, breach notifications, and penalties in relation to the handling of electronic medical records.
Healthcare organizations should particularly pay close attention to four Omnibus Rule components:
- Restrictions on the use of patient information in marketing campaigns.
- Requirements to report data breaches that are not deemed harmful.
- The liability of vendors and subcontractors for their own breaches and for HIPAA compliance.
- The responsibility of healthcare providers to make sure vendors and subcontractors comply with HIPAA.
Organizations that need to tune into the Omnibus Rule include healthcare providers, referred to as Covered Entities. Vendors and subcontractors referred to as Business Associates, who provide services to Covered Entities and handle medical records must also comply.
Breach Notifications: Are They Always Required?
It used to be that organizations had to provide a notice of a security breach only if the breach posed a significant risk of harm to 500 or more individuals. But under the Omnibus Rule, organizations must report any breach or disclosure of protected health information that is not permitted by the HIPAA Privacy Rule.
Things are also a bit murky in this area. Covered Entities and Business Associates do not have to report breaches in cases where they can demonstrate that the risk of harm is low. This is based on the assessment of four factors, as defined by the Healthcare Compliance Pros website:
- The nature and extent of the protected health information that was breached; this includes the types of identifiers and the likelihood of persons being re-identified.
- The identity of the unauthorized party who used the information or to whom the disclosure was made; if it’s a reputable organization that complies with HIPAA, the breach may be OK.
- Whether or not the health information was actually acquired or viewed by another party.
- The extent to which the risk to the health information was mitigated.
If you choose not to report a breach, it’s critical to make sure you have covered your bases across all of these factors. The fourth factor requires careful consideration. Proving the extent to which you have mitigated a breach can be difficult.
Carefully Check Business Associates
Some of the Privacy Rule and all of the HIPAA Security Rule enforcement protocols, which are part of the Omnibus Rule, now apply directly to the Business Associates that Covered Entities work with. Agreements that Covered Entities sign should thus include a review of Business Associate compliance with the Omnibus Rule, particularly the breach requirements. Covered Entities should also consider adding liability protection to their Business Associate agreements.
This is key because maximum penalties for breaches of protected health information can range anywhere from ~$58K to ~$1.75M. The amount of the fine depends on whether or not an entity is aware of the breach, the cause of the breach if there was any willful neglect, and whether or not the entity took corrective action.
While Business Associates are directly liable for their own violations, Covered Entities can be penalized for Business Associate violations. For example, a Covered Entity can be fined if it has not acquired the necessary assurances that a Business Associate or one of its subcontractors complies with the Omnibus Rule. This makes it mandatory for healthcare organizations to conduct careful compliance reviews of Business Associates, who also need to include a compliance review of each subcontractor they use.
Patient Communication Also Plays Key Role in Compliance
There are many other components to the Omnibus Rule that healthcare organizations need to consider. This includes individuals having the rights to restrict certain disclosures of protected health information (PHI). Patients also have the right to request access to their data. And genetic information is considered a type of health information subject to HIPAA, and there are restrictions that prohibit health plans from using genetic information for underwriting purposes and employers from using genetic information in the hiring and promotion process.
All this complexity in the Omnibus Rule makes it imperative to work with a compliance consultant. Healthcare organizations also need to educate patients on their individual privacy and disclosure rights. Patients need to know how their information is used and disclosed and how to submit complaints pertaining to privacy violations.
Progress MOVEit® Managed File Transfer can play a key role in helping your healthcare organization comply with the HIPAA Omnibus Rule. The solution assists with internal and external transfers of files containing protected information by encrypting all data in motion and at rest. To see how MOVEit can help, download a free trial today.