The compliance date for the HIPAA Omnibus Rule is fast approaching. Covered entities need to align their practices with the HIPAA Omnibus Rule by September 23, 2013. Usually doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies are subject to HIPAA and the Omnibus Rule requirements if they transmit certain health information in an electronic form.
The Omnibus Rule provides patients with new rights under HIPAA. Starting September 23rd, a patient has the right to obtain an electronic copy of her electronic health record. She has the right to have her designated record set sent to a third party. She has the right to have the covered entity restrict disclosures to health plans for treatment or services paid in full by the patient. This new right to restrict disclosures to health plans will likely be a challenge for a covered entity to implement. Implementing a policy now will allow the covered entity to troubleshoot compliance with payment, follow-up care, written prescriptions, and unbundling of services by September 23rd. She also has the right to easily opt out of receiving fundraising communications. Additionally, the Omnibus Rule strengthens the patient’s right to be informed and control her PHI. There is now an explicit requirement that a patient must provide a separate written authorization prior to the sale of PHI, the disclosure of psychotherapy notes, and the receipt of marketing communications.
Consequently, because the Omnibus Rule provides new rights to patients, covered entities must also revise and update their notice of privacy practices. Covered entities must also review and revise their policies and procedures to make sure they conform to the new rights and changes implemented in the Omnibus Rule no later than September 23rd. Additionally, workforce members will need to be trained on the changes in the HIPAA Omnibus Rule.
One significant departure from the proposed rule and the final Omnibus Rule is the standard for breach notification. The Omnibus Rule makes clear that any unauthorized use/disclosure is presumed to be a breach requiring notification to the affected patients unless the covered entity rebuts that presumption with appropriate documentation. The breach notification policy must be updated accordingly.
Furthermore, business associate agreements should be reviewed and revised to conform to the Omnibus Rule. The Omnibus Rule clarified that a covered entity may be vicariously liable for the violations of its business associate. The covered entity cannot rely solely on the language of the business associate agreement. Rather the Office of Civil Rights or Attorney General will look at the practical relationship of parties and how much control the covered entity has over the means and method of the business associate in carrying out the duties under the agreement. Ultimately, the actual practices between the business associate and covered entity will control in determining vicarious liability.
Non-compliance has the potential to be extremely costly both economically, in the form of civil monetary penalties, and in terms of reputational harm, in the form of loss of integrity and goodwill in the community. Not having these provisions in place by September 23, 2013, is not only a HIPAA violation but also constitutes a continuing violation for each day of non-compliance. So even though summer is cooling down, HIPAA compliance is heating up.
We are here to assist you through this process to ensure that you will be in full compliance by the deadline; should you have any questions or concerns, please don’t hesitate to contact Attorney Laura Brady at 330.497.0700.