The HIPAA Omnibus Rule, an extension of the Health Insurance Portability and Accountability Act (HIPAA) contains revisions and updates of all other previously passed rules and specifically addresses how healthcare facilities may handle electronic health records, PHI, medical records, health plans, or any other protected health information after an individual’s death. The edits and updates that have been used to modify the HIPAA Security Rule, HIPAA Privacy Rule, Breach Notification Rule and Enforcement Rule were all focused on creating heavier safeguards in the activities of data security and data sharing. The Omnibus Rule, the most recent rule of HIPAA, established mandatory regulations surrounding a person’s private healthcare data for businesses, associated employees, clients, family, and individuals. It specifically addresses how covered entities may handle PHI after an individual’s death and also permits easier access to an individual’s health information.
This rule strengthened the protocols and impermissible uses concerning a person’s health information, specifically in electronic form. It was established in response to The Health Information Technology for Economic and Clinical Health (HITECH) Act as it deployed full responsibility for non-compliance with this act and all other previous HIPAA Rules. Since the Omnibus Rule was passed in 2013, there have been three major changes that apply to the liability and privacy of PHI.
1. Business Associate and Subcontractors Liability.
Before the Omnibus Rule was passed, the HITECH Act was placed into effect so that liability could be placed on not only the behalf of a covered entity in case of non-compliance but also their accompanied business associate. The Omnibus Rule simply enhances these requirements, specifically for business associates who have been hired to carry out specific duties safely relating to PHI as is and (should be) defined from within the business associate agreements (BAA) established between the two parties. This rule also gives the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR)the authority to directly audit and/or fine any business associate for non-compliance rather than just the covered entity being held liable.
2. Confidentiality and Privacy Edits.
The Omnibus Rule also covers more on how the disclosures of PHI and personal health records can be shared and accessed between healthcare providers and individuals. Most notably, it has given easier access to individuals’ rights on retrieving their own health information, established better safeguards on the sale of PHI without the consent of the patient, and how PHI may be used in marketing, advertising, events, or fundraising purposes without the risk of harm.
3. Other Changes.
Another significant change the HIPAA Omnibus Rule defines is the limitations HIPAA can protect after an individual’s death. The Omnibus Rule limits HIPAA protection to 50 years after a person’s death and provides covered entities with more flexibility in releasing a deceased individual’s information to family members or past care facilities.
The Omnibus Final Rule also includes that covered entities must provide notice in any changes or redistribution of notice of privacy practices and privacy protections (NPPs) and also reestablishes what is considered to be a breach. The Breach Notification Rule had previously stated that any significant risks detected, or suspected breaches should be reported only if they are thought to affect over 500 people. The Omnibus Rule changed this and now any unapproved use or distribution of a person’s PHI should immediately be reported to the U.S. Department of Health and Human Services for investigation.
Understanding the laws and regulations regarding HIPAA and all the rules surrounding it can be hard and overwhelming to take in. However, here at NeoCertified we try and simplify what it means to become HIPAA compliant all while providing affordable email encryption to all of our healthcare providers in need of it. We don’t just talk about HIPAA compliance we are HIPAA compliant!