What is the HIPAA Omnibus Rule & Why It Is Important for Business Associates
In the healthcare sector, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs how healthcare organizations and any associated companies or professionals handle patient data within that legislative framework.
Part of that is the HIPAA Omnibus Rule, which came into effect in 2013. This article discusses how organizations navigate and stay compliant with the HIPAA Omnibus Rule.
The Department of Health and Human Services (HHS) is responsible for managing and ensuring compliance with HIPAA, the Omnibus Rule, and the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
All of these laws and regulations are designed to "strengthen the privacy and security protections for health information" under HIPAA.
Let's see what this means for organizations, business associates, and professionals according to the Omnibus Rule.
What is the HIPAA Omnibus Rule?
The HIPAA Omnibus Rule was established to consolidate and clarify the various aspects of HIPAA. This includes the Privacy Rule, Security Rule, and Breach Notification Rule, and ensures that it's aligned with the 2009 HITECH Act.
The key takeaways organizations and individuals need to be aware of under the Omnibus Rule include:
- People now have more rights to get an electronic copy of their health information. Also, healthcare providers must respect individuals' wishes to keep their information from being shared with a health plan for payment or operations, as long as it is not required by law and is about something they paid for out of pocket.
- The term "Business Associate" now includes any group dealing with an individual's health information on behalf of a healthcare provider. This means that companies storing health data for healthcare providers and plans are considered Business Associates.
For more information, you can read the full Omnibus Rule and how it interacts with the HITECH Act and HIPAA in the Federal Register, Volume 78, Friday, January 25, 2013. The final Omnibus Rule replaced proposed and interim rules, coming into law on March 26, 2013.
Why the HIPAA Omnibus Rule Impacts Business Associates
One of the reasons for enacting the HIPAA Omnibus Rule into law was the expansion of sensitive patient data, or Protected Health Information (PHI). This included the expanded use of Electronic Health Records (EHR) and software (SaaS) across the healthcare sector.
The only way to achieve that was to expand the rules governing the storage, processing, and use of PHI. The HIPAA Omnibus Rule was the solution, and in particular, how Business Associates under HIPAA store, process, and use patient data.
-
Patient Access to Their Data/PHI
One of the most important changes is a patient's right and control over their own medical data, no matter who has access to it.
According to the guidelines: "The Omnibus Rule expands an individual's right to receive an electronic copy of his/her PHI. In addition, the Omnibus Rule implements HITECH's requirement that providers follow patient requests that their PHI not be disclosed to a health plan for payment or health care operations purposes if the disclosure is not required by law and relates solely to items or services for which the patient paid out of pocket in full."
-
Business Associate Accountability
The Omnibus Rule expanded the concept of a Business Associate and how accountable they are to:
- Patients
- Clients (healthcare organizations, known as "Covered Entities")
- Others in the supply chain
A Business Associate now "include[s] all entities that create, receive, maintain, or transmit PHI on behalf of a covered entity, making clear that companies that store PHI on behalf of healthcare providers and health plans are business associates."
This definition now encompasses "relevant subcontractors, ensuring that a covered entity's or business associate's security requirements encompass outsourced operations."
So, even if you don't handle patient data directly, or if you do but can't actually access it (e.g., PHI is encrypted and stored on cloud servers you operate), that still means your company is a Business Associate under HIPAA and, therefore, needs to be compliant with all of the relevant regulations.
-
Marketing Restrictions Over PHI
Under HIPAA, "The Privacy Rule generally prohibited the use or disclosure of PHI for marketing purposes without an individual's authorization."
However, there are certain exceptions under the Omnibus Rule, providing PHI is not used in marketing communications. This could influence third-party business associates as these companies are often tasked with communicating with patients on behalf of healthcare organizations.
For example, "in-kind benefits" are "not considered prohibited remuneration," and neither is any communication to patients about "drugs or biologics that they already have been prescribed (or generic substitutes)."
In practice, that means healthcare organizations can contact patients about drugs or other treatments they have already been prescribed. But they cannot contact them about new drugs they might not know about unless a doctor or other healthcare professional has told them about it or prescribed it as a form of treatment.
-
Access to Genetic Information
The Omnibus Rule incorporates the Genetic Information Nondiscrimination Act of 2008 so that any genetic information included in PHI is applied, covering all of the same safeguards under HIPAA.
-
Rules Governing the Potential Sale of PHI
The sale of patient information (especially when patients can be identified) under the Omnibus Rule "prohibits the sale of PHI, defined as remuneration (financial or otherwise) in exchange for PHI, without individual authorization."
When public health interests are at stake, the price for data for research is "limited to a reasonable cost-based fee to cover the cost to prepare and transmit the PHI."
-
Research Using Data Under HIPAA
The Omnibus Rule still allows for PHI to be used for research and studies, including future use of patient information, whether or not the potential for its use was clear at the time data was collected. It reduces the need for multiple consent forms or future researchers having to obtain permission from next of kin in the event of a patient passing away.
According to the guidelines: "Researchers [can] obtain 'prospective consent' for future studies, a change from previous HHS interpretation of the Privacy Rule as requiring study-specific research authorizations."
Omnibus allows researchers to obtain a single authorization for use in future studies. However, a detailed description of the types of studies a patient's PHI might be used in must be provided. In other words, future studies should be ones for which patients would reasonably expect their information to be used.
-
Rights of the Deceased
Originally, using the PHI of a deceased individual for research always required authorization from that individual's personal representative. Omnibus grants researchers permission to use the PHI of a deceased individual without authorization as long as the individual has been dead for at least 50 years.
-
Breach Notice Under HITECH and HIPAA
Under the HIPAA Privacy Rule, Covered Entities and Business Associates handling PHI are legally obligated to notify patients in the event of a data breach. This could include any one or organization affected by a potential data breach, including patients (data subjects) and any other organizations or vendors in the supply chain.
The beefed-up Breach Notification Rule "replaces a controversial 'risk of harm' breach standard from an earlier version of the rule with an objective requirement that covered entities treat improper disclosures of PHI presumptively as breaches unless certain statutory conditions exist (e.g., a demonstration that the data were encrypted) or the covered entity can demonstrate a low probability that PHI has been compromised."
In practice, this means undertaking a "four-part risk assessment that includes consideration of whether the data were actually acquired or viewed by an unauthorized person and the extent of mitigation accomplished."
In the event that data has been breached, copied, or viewed by someone not authorized to have access, then patients and any companies in the supply chain need to be notified.
-
HIPAA Omnibus Rule Penalties
One crucial change is the severity of fines imposed on organizations for breaches. This gives HIPAA more "teeth" as a regulatory compliance mechanism.
According to the Omnibus Rule, the "assessment of violations includes consideration of the number of individuals affected, the length of noncompliance, and the severity of culpability. Penalties may reach a cap of $1.5 million per identical violation type per year."
- More businesses than ever fall under Business Associate guidelines
- There are more restrictions when it comes to the use of PHI in marketing materials, the sale of data, the rights of the deceased, and research
- Fines are larger for any organization that breaches HIPAA rules
- Businesses need to do more to safeguard patient data and ensure patients always have access and control over the data any company or individual has when they have PHI
HIPAA Omnibus Rule: Key Takeaways
The HIPAA Omnibus Rule came into force on March 26, 2013, and has been one of the key healthcare data-related laws ever since. Key takeaways include:
Find out whether your organization is compliant with HIPAA and the Omnibus Rule with Giva's 10-Point HIPAA Compliance Checklist.
Giva HIPAA-Compliant Cloud Help Desk Software
Giva's HIPAA-compliant cloud help desk software protects electronic health and medical records. Discover how Giva exceeds the key elements of HIPAA compliance.