What is the HIPAA Omnibus Rule?
The HIPAA Omnibus Rule, which was finalized in 2012 and became effective in 2013, contains edits and updates to all the previously passed HIPAA compliance rules. The modifications to the Security, Privacy, Breach Notification, and Enforcement Rules were intended to enhance confidentiality for PHI and security in data sharing (with regard again to protected health information). The Omnibus Rule provided one single, exhaustive document that details all the requirements for complying with HIPAA and HITECH. Please read on so the Accountable blog can fill you in on the rest of the 'need to knows' for the HIPAA Omnibus rule and what it meant for your compliance plan.
The Omnibus Rule
The Omnibus Rule, the most recent addition to HIPAA (The Health Insurance Portability and Accountability Act), was passed to strengthen the protection of protected health information , especially in electronic form, as well as give patients more access to their individual health information. This rule was in response to The Health Information Technology for Economic and Clinical Health (HITECH) Act as it fully implemented liability for this noncompliance with this act in addition to the previous HIPAA acts.
There were many changes that the Omnibus Rule brought about stemming from the updates it added to the individual rules and therefore to comply with HIPAA as a whole.
Business Associate Liability
The Omnibus Rule followed just after the HITECH Act which made business associates and their subcontractors directly liable for their own compliance with HIPAA (the Health Insurance Portability and Accountability Act). Although this change was first mentioned in HITECH (Health Information Technology for Economic and Clinical Health Act), the Omnibus Rule took it to another level by enforcing these regulatory requirements upon business associates. This rule was finalized by the Office for Civil Rights (OCR) as they are the party that is responsible for enforcing the expectations of the Omnibus Rule. Business Associates are now bound to HIPAA mandates, the same as their Covered Entity clients. This makes it so that business associates can now be audited and/or fined directly for noncompliance by the Department of Health and Human Services, or Office of Civil Rights, rather than the covered entities being held responsible on behalf of the business associate.
The Omnibus Rule addresses the following questions and issues relating to use of PHI :
- PHI used in marketing or fundraising materials or events
- Selling PHI without the express consent of the patient
- Student immunization record disclosures
- Sharing of PHI (protected health information) in reference to either the treatment of a patient, or when seeking payment for their care
- Patient’s gained the right to restrict disclosure of their health information to health plans
- Individual’s also gained the ability to access their electronic PHI (ePHI)
The Omnibus Rule; Other Significant Changes
- In the Breach Notification Rule , it was required that organizations report breaches where there was a significant potential of harm to over 500 people. The Omnibus Rule changes this and says that any unauthorized use or sharing of protected health information should be presumed to be a breach. This has certainly led to a higher number of reported data breaches each year.
- Increased limitations were placed on sharing protected health information (PHI). One example was that PHI was no longer allowed to be sold to anyone without direct, written permission from the patient. If permission is granted by the patient, the patient retains their right to reverse this authorization at any time and ask the Covered Entity to stop using their health info.
- In expanding one of the main goals of HIPAA, The Omnibus Rule gave more rights for individuals to access their own ePHI.
- The tiered penalties against organizations that violate HIPAA and HITECH were updated and the extent of enforcement was increased.
- The Omnibus Rule requires changes to & redistribution of each covered entity’s notice of privacy practices (NPPs)
The HITECH rule made the changes, but the Omnibus Rule put muscle behind those changes. This law modified the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. This law did not contain a ton of new information that has not been mentioned in previous legislation but rather it is finalization and summation of all that HIPAA contains and requires of it’s covered entities and business associates.
Understanding all the aspects of the Omnibus Rule and HIPAA can be overwhelming and exhausting, but that is exactly why Accountable is here to simplify what it means to be HIPAA-compliant. Learn more today by booking a demo here!