Tick, Tick, Tick … Time is Running Out for HIPAA Omnibus Rule Compliance
The enforcement date for the HIPAA Omnibus Final Rule (Omnibus Rule) is Sept. 23. This means time is running out for HIPAA covered entities and business associates to come into compliance with the Omnibus Rule’s requirements.
1. Update Policies and Procedures
Covered entities may want to address certain significant provisions of the Omnibus Rule in their updated policies and procedures, including:
- Amending their breach notification policy to reflect the presumption that an impermissible acquisition, access, use, or disclosure of unsecured PHI is a reportable breach unless a risk assessment that addresses at least four mandatory factors finds a low probability that the information has been compromised;
- Requiring authorization for marketing to reflect that communications that encourage the use of a product or service, including a treatment alternative or a health-related product or service offered by the covered entity, now may be marketing if financial remuneration is received from a third party;
- Prohibiting the sale of PHI where PHI is exchanged for financial or non-financial remuneration, unless an exception applies;
- Expanding the types of PHI that may be used for fundraising while requiring conspicuous opt-out language on all fundraising communications;
- Prohibiting disclosure to health plans for payment or health care operations on the patient’s request when the patient or a third party pays in full for a health care item out of pocket;
- Expanding a patient’s right to receive an electronic copy of certain PHI and to have an electronic or hard copy sent to a third party;
- Limiting the definition of PHI to exclude information about persons who have been deceased for more than 50 years and providing greater flexibility to share information of decedents with friends, family, and others who were involved in care; and
- Permitting disclosure of student immunization records to schools based on informal agreement of the student or personal representative where the state require schools to obtain such information.
2. Update Notice of Privacy Practices
The Omnibus Rule modifies and expands the content of the Notice of Privacy Practices (NPP). Covered entities must update their NPP to reflect these new requirements and any changes to their privacy practices. Covered health care providers will need to start distributing the revised notice to new patients starting on the compliance date and will need to update the notices posted at facilities and on their websites. Covered plans generally will need to post notices on their websites and include updated notices in their next annual mailings.
3. Update Business Associate Agreements
To comply with the Omnibus Rule, covered entities also likely will need to revise their business associate agreement (BAA) form to reflect the new requirements. Additionally, the definition of business associate has changed. Some vendors and service providers that previously were not considered to be business associates may become business associates under the Omnibus Rule.
Covered entities may want to consider developing an overall business associate contract implementation strategy, which would also include verifying the business associate status of current vendors, conducting an inventory of all existing BAAs, and planning an approach for renegotiating business associate contracts. Covered entities also should take this opportunity to consider whether the terms of the covered entity’s form BAA adequately address the new Omnibus Rule requirements and provide appropriate protections and safeguards. The Omnibus Rule grandfathers most BAAs that were in effect prior to Jan. 25, 2013, providing an additional year—until Sept. 22, 2014—to amend these BAAs.
4. Revisit Risk Analysis
Compliance efforts for the Omnibus Rule present a good opportunity to revisit or perform the risk analysis required under the HIPAA Security Rule. Recent enforcement actions, as well as informal statements by the U.S. Department of Health and Human Services (HHS), suggest that HHS has been evaluating covered entity’s risk analyses as a matter of course in investigations and at times have found them wanting.
5. Enhanced Requirements for Business Associates
Beginning on the effective date of the Omnibus Rule, HHS will begin HIPAA enforcement for business associates. Business associates must comply with the Security Rule and applicable sections of the Privacy Rule. Additionally, business associates have direct regulatory liability for compliance with much of their BAAs, rather than having only contractual liability.
As indicated, the Omnibus Rule made a number of modifications and clarifications to the definition of “business associate” that are significant in determining who qualifies as a business associate. Of note, the Omnibus Rule expands the definition of business associates to include subcontractors. Business associates need to have BAAs in place with their subcontractors. These BAAs not only must meet the minimum requirements of HIPAA but also need to pass on the restrictions relating to PHI that the business associate has agreed to in its BAA with the covered entity (or upstream business associate).
Business associates should consider:
- Performing a risk analysis and risk management evaluation;
- Developing security policies and procedures consistent with the Security Rule;
- Updating breach notification policies;
- Establishing processes for verifying the business associate’s compliance with its BAA obligations; and
- Developing an approach for negotiating BAAs (for both covered entities and subcontractors) including updating BAA templates.
Educating staff is a critical element of compliance with the Omnibus Rule for covered entities and business associates. Staff training should cover the significant changes to the organizations operations and practices as a result of the Omnibus Rule and be tailored for staff’s roles and responsibilities within the organization. Training should be documented.