Is Your Organization Fully Omnibus Rule HIPAA Compliant?

Key Notes of Health Care Compliance From HIPAA Exams, Inc. March 2014 Is Your Organization Fully Omnibus Rule HIPAA Compliant? September 23, 2013 is long past, but compliance is still the priority!  With the rise of the mobile workforce, compliance may be difficult; however, it is absolutely necessary to avoid costly penalties.  Review the checklist below to see how you measure up in Omnibus Rule HIPAA compliance.

  1. Have you appointed a Privacy Officer?**
  2. Have you appointed a Security Officer?
  3. 3. Have you complied with all required HIPAA Security Rule requirements to implement safeguards: administrative, technical, and physical? Document this implementation!
    1. a.  If you did not implement any of the security standards, you must document your reasons for not complying!
    2. Have you updated your Notice of Privacy Practices (NPP) and posted the updated NPP on your organization website?**
    3. Have you amended your Business Associate Agreements (BAAs) to include the additional required HIPAA provisions?
      1. Remember, existing compliant BAAs must be amended by September 23, 2014. New BAAs must have been completed by September 23, 2013 and contained the Omnibus Rule mandated requirements.
      2. Have you trained or retrained your workforce on all of the new Omnibus Rule HIPAA requirements including security workforce training?
        1. Training of all workforce is mandated under the HIPAA Privacy Rule on policies and procedures with respect to PHI.
        2. Training is mandatory! Document all training!
  1. 7.Have you established policies and procedures for providing access to electronic protected health information (ePHI) to third parties when requested by an individual? 
    1. a.Document the policies and procedures!
    2. 8.Have you conducted an annual security risk assessment?
      1. a. Is this assessment and results documented?
      2. 9.How are you addressing any issues in the risk assessment?
        1. a. Document your action items.  
        2. 10.How are you ensuring that ePHI is secure? Are you using encryption or destruction?
          1. a.Document this in Security Policies and Procedures.
          2. 11. Do you have Policies and Procedures in place for breach notification should one occur?
            1. a.  Make sure that your policies and procedures include the "low probability of compromise of ePHI"test.
            2. b. Document all breaches involving fewer than 500 individuals to your annual reporting to the Department of Health and Human Services (HHA) as required by HIPAA.

Key takeaways from this checklist:

  • Document, document, document
  • Train, train, train
  • Secure all PHI
  • Comply, with data protection regulations.
  • Avoid costly breaches!

Be ready if an audit comes! Stay current with HIPAA requirements through current educational online learning through HIPAA Exams, Inc.  Current educational modules are available for Business Associates, Administrators, Health Care Providers, Nurses, Medical Office Staff, and other Health Care workers.

Publish/Republish Date
Scheduled Content

Protecting patient data is one of the main responsibilities of healthcare organizations, especially in light of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule enacted in 2013. This rule significantly expanded the requirements for safeguarding patient privacy and data security. Complying with the HIPAA Omnibus Rule is not just a legal obligation but also essential for maintaining trust with patients and avoiding costly penalties.

In this blog, we will explore the key aspects of the Omnibus Rule and provide guidance on assessing and enhancing your organization's compliance posture.

What Is the Omnibus Rule?

The HIPAA Omnibus Rule took effect March 26, 2013, and comprises a comprehensive set of modifications to the HIPAA Privacy, Security, and Enforcement Rules. Affiliated with the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Omnibus Rule implements many of the privacy, security, and enforcement provisions outlined in the Act. The primary purpose of the Omnibus Rule includes all of the following:

  • Enhanced Privacy Protections
  • Expanded Coverage
  • Increased Penalties for Non-Compliance
  • Breach Notification Rule Modification
  • Enhanced Individual Rights
  • Genetic Information Protections

Impact of the Omnibus Rule on Covered Entities

Business Associates and Business Associate Agreements

The Omnibus Rule impacts covered entities by expanding the definition of "business associates" to include entities that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity.

This change requires covered entities to update their Business Associate Agreements (BAAs) to ensure compliance with the new requirements. Covered entities must revise their Notice of Privacy Practices (NPP) to reflect the changes brought about by the Omnibus Rule, including informing patients of their rights and how their information is protected.

Penalties and HIPAA Breach Notification

The Omnibus Rule also increased penalties for HIPAA violations and revised breach notification rules, incentivizing entities to adhere to the updated regulations to avoid costly fines and reputational damage. Under the revised breach notification rules, covered entities must notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media of any breaches of unsecured PHI.

Specific Compliance Challenges for Different Organizations

Healthcare Provider Compliance

Healthcare providers face unique challenges in complying with the Omnibus Rule. They must ensure that all BAAs with their business associates are updated to include the new requirements and that they adequately train all of their staff on the changes. Providers must also update their NPPs and make them available to patients, which can be a time-consuming and resource-intensive process.

Health Plan Compliance

The Omnibus Rule explicitly mentions healthcare plans as covered entities, so they are expected to be in compliance with the rule’s standards. This includes health insurance companies, clearinghouses, and government-sponsored programs like Medicare, Medicaid, and veterans and military programs.

Health Plan Marketing

Any use of PHI for marketing or fundraising must comply with the new regulations, which may require significant changes to their current practices. Covered entities must obtain individual authorization for certain marketing communications and provide an opt-out mechanism for fundraising communications.

Strategies for Achieving Omnibus Rule Compliance

Policies and Procedures:

  • Distribute specified HIPAA policies and procedures to all staff members.
  • Ensure all staff members read and attest to the implemented HIPAA policies and procedures.
  • Document staff attestations to prove the distribution of HIPAA rules.
  • Maintain documentation for annual reviews of HIPAA policies and procedures.

Training:

  • Provide basic HIPAA compliance training to all staff members.
  • Ensure all staff members complete HIPAA training for employees.
  • Maintain documentation of staff training.

Compliance Officer:

  • Designate a staff member as the HIPAA Compliance, Privacy, or Security Officer as the law requires.

Business Associates

  • Identify all business associates as defined under HIPAA rules.
  • Identify all associates who may receive, transmit, maintain, process, or access ePHI.
  • Execute a Business Associate Agreement (Business Associate Contract) with each identified Business Associate.
  • Audit Business Associates to ensure their compliance with HIPAA rules.
  • Maintain written reports to demonstrate due diligence regarding Business Associates.

Incident Management

  • Implement a management system to handle security incidents or breaches.
  • Establish systems to track and manage investigations of incidents that impact the security of PHI.
  • Ensure thorough investigation of each incident.
  • Generate reports of all breaches and incidents, regardless of their severity.

Additional Strategies

  • Conduct regular risk assessments to identify potential vulnerabilities and gaps in HIPAA compliance.
  • Develop and maintain a comprehensive risk management plan to address identified risks.
  • Implement technical, physical, and administrative safeguards to protect PHI.
  • Regularly review and update HIPAA policies and procedures to ensure ongoing compliance.
  • Provide ongoing training and education to staff members to reinforce best practices for HIPAA compliance.
  • Establish a process for timely notification of breaches to affected individuals, the Department of Health and Human Services (HHS), and the media, as required by HIPAA regulations.

Ensuring compliance with the HIPAA Omnibus Rule can be a complex and challenging process for healthcare providers, health plans, and their business associates. To help your organization navigate these requirements and maintain ongoing compliance, consider investing in comprehensive HIPAA training for your staff.

HIPAA Exams offers compliance training courseware specifically designed for healthcare workers. Our "HIPAA for Health Care Workers" training course covers essential topics, including the Omnibus Rule, and provides the knowledge and tools needed to protect patient privacy and secure protected health information (PHI).

By prioritizing staff education and implementing the strategies outlined in this article, your organization can confidently meet the challenges of the HIPAA Omnibus Rule and demonstrate a strong commitment to safeguarding patient data. Take the first step towards a culture of compliance by visiting HIPAAexams.com today and exploring our comprehensive HIPAA training solutions.