The long-awaited final Omnibus Rule that modifies the Health Insurance Portability and Accountability Act of 1996 (HIPAA) took effect on March 26, 2013. Leon Rodriguez, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) calls the changes the “most sweeping” since the HIPAA Privacy and Security Rules were first implemented. HIPAA covered entities and business associates generally have until September 23, 2013 to become compliant with the Omnibus Rule.
Who do the Changes Affect
HIPAA covered entities, including health care providers, health systems, health plans (including insured and most self-insured employer group health plans) and clearinghouses.
HIPAA business associates, including a wide range of vendors who contract with covered entities and access protected health information (PHI). Examples include technology vendors, services organizations, accountable care organizations (ACOs), and third party administrators.
What Action is Required
HIPAA covered entities and business associates should act now to take the following measures:
Revise Business Associate Agreement template forms
Evaluate existing contractor arrangements to determine whether modifications or new agreement provisions are necessary, including to existing Business Associate Agreements
Revise HIPAA Policies and Procedures, including modifications to address response to potential breaches involving unsecured PHI
Update and redistribute Notices of Privacy Practices
Analyze current arrangements for compliance with restrictions on the sale of PHI, and marketing and fundraising restrictions
Train employees on updated obligations
Some of the Key Changes Under the Omnibus Rule
The Omnibus Rule expands the definition of business associate.
The Omnibus Rule expands the liability and obligations of business associates
The Omnibus Rule eliminates the “significant risk of harm” standard as the threshold for breach notification
Marketing, Fundraising, and the Sale of PHI
The Omnibus Rule imposes stricter limitations on marketing communications made in exchange for financial remuneration. Specifically, written communications promoting purchase or use of a third party’s products or services require prior individual authorization if the covered entity receives financial remuneration in exchange for sending the communication. Limited exceptions exist to permit face-to-face marketing communications, certain promotional gifts and refill reminders so long as the remuneration is reasonably related to the cost of the communication.
The Omnibus Rule provides a limited set of circumstances in which a covered entity can use and disclose certain PHI for fundraising without an authorization. Regardless of whether an authorization for fundraising was required or obtained, covered entities must provide an individual with a clear and conspicuous opportunity to opt-out of receiving future fundraising communications.
The Omnibus Rule prohibits the sale of PHI unless the individual has authorized it. The requisite authorization must acknowledge that the covered entity will receive remuneration in exchange for PHI.
Changes to Enforcement Rules
HHS may impose civil monetary penalties up to $1.5 million for all violations of an identical HIPAA requirement in a calendar year.
The Omnibus Rule eliminates HHS’s discretion in choosing whether to investigate complaints or potential violations in cases where HHS’s preliminary review reveals a possible violation due to willful neglect. HHS is required to initiate a formal investigation when a party appears to have exhibited willful neglect.
Other Notable Changes
Covered entities must change their Notices of Privacy Practices to describe certain uses and disclosures of PHI and redistribute such notices to patients.
The Omnibus Rule gives individuals the right to have their provider restrict certain PHI from disclosure to health plans where the individual pays for the care out-of-pocket in full and requests such a restriction.
The Omnibus Rule prohibits health plans from using or disclosing genetic information for underwriting purposes, as required by the Genetic Information Nondiscrimination Act.