HIPAA omnibus rules released

The U.S. Department of Health and Human Services (HHS) published the long-awaited final omnibus rule under HIPAA (Omnibus Rule) on Jan. 25. The rule implements the Health Information Technology for Economic and Clinical Health Act (HITECH) and amends provisions related to privacy, security, breach notification and enforcement in important ways.

The omnibus rule does not change the monetary penalties under HIPAA and HITECH, but HHS has stated that it will investigate all cases of possible willful neglect and will impose penalties on all violations due to willful neglect.

“Willful neglect” is defined as “conscious, intentional failure or reckless indifference.” The omnibus rule also revised the definition of “reasonable cause” to “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but which the covered entity or business associate did not act with willful neglect.” The civil penalty tiers remain unchanged:

  • Did Not Know (and could not have known): $100-$50,000 per violation;
  • Reasonable Cause: $1,000-$50,000 per violation;
  • Willful Neglect – corrected within 30 days of discovery: $10,000-$50,000 per violation; and
  • Willful Neglect – not corrected within 30 days of discovery: $50,000.

All violations of an identical provision in a calendar year shall not exceed a fine of $1,500,000.
The compliance date for the final rule is Sept. 23, 2013.

This is a summary of provisions of which dental practices will want to be aware. More details will be published in the CDA Update at a later date and compliance resources will be available soon on cda.org/compass.

Business Associates and Subcontractors

Business associates of “covered entities” are now required to comply with the security rule. A business associate is a person or entity that “creates, maintains, or transmits protected health information (PHI) on behalf of a covered entity.” Business associates must implement administrative, physical and technical safeguards to protect PHI they receive from covered entities. Business associates are also required to enter into business associate agreements with any direct subcontractors. A subcontractor is any person or entity to whom a business associate delegates a function, activity or service on behalf of a covered entity. These downstream agreements must require that subcontractors comply with HIPAA.

Notice of Privacy Practices

A covered entity’s Notice of Privacy Practices (NPP) must be reviewed and revised for compliance with the omnibus rule. NPPs must now include a statement that certain uses and disclosures of PHI, such as some related to marketing, require an authorization. NPPs should also be amended to reflect the prohibition on the sale of PHI, breach notification requirements, the right for patients to opt out of fundraising, and the right to restrict disclosure of PHI when paying out-of-pocket. Patients may be notified of the updated NPP by a sign in the waiting room, a statement included in a bill or other practice communication and on the practice website. NPPs must be posted and included on a covered entity’s website. Acknowledgement of receipt of the updated NPP need only be obtained from new patients.

Patient Rights – Access to Records

In its overview and discussion of the omnibus rule, HHS clarified HITECH provisions on patient access to records. If an individual requests access to PHI maintained electronically, a covered entity must provide access in the specific electronic format requested if it is readily producible in that format. If the PHI is not producible in that format, the covered entity must provide the PHI in a readable electronic format agreed to by the individual. Also, PHI may be transmitted via unencrypted email to the patient only if the patient consents to receiving the information in this manner after being informed of the risks of unsecure communications.

Breach Notification Rule

Prior to the omnibus rule, HIPAA’s breach notification rule included a “harm threshold.” Breach notification was only required if the covered entity determined that the breach could result in a “significant risk of financial, reputational, or other harm.” The omnibus rule now states that there is a “presumption of a reportable breach unless there is a low probability the PHI has been compromised after risk assessment.” Covered entities must conduct a risk assessment to determine the probability that the PHI in question was compromised.

Definition of Marketing

HIPAA’s definition of “marketing” includes a number of exceptions for certain health-related communications. The omnibus rule makes it clear that “marketing” includes all communications in which the covered entity receives financial remuneration from a third party marketing a product or service. All such communications, even those for treatment or health care operations, are only permissible with a valid authorization from the individual.

Sale of PHI

The omnibus rule prohibits the sale of PHI without a valid patient authorization but provides for certain exceptions. Covered entities may receive remuneration in exchange for PHI if the exchange is for the following purposes:

  • treatment;
  • payment;
  • public health;
  • sale of a covered entity and related due diligence;
  • required by law;
  • activities of business associates.

The omnibus rule can be found online here.