3. HIPAA Omnibus Rule Purpose
3
Final Rule Addresses 4 Proposed Rules
Published in 2009 and 2010
1. Strengthen the HIPAA Privacy and Security Requirements
Mandated by HITECH (Proposed Rule July 2010)
• Strengthen Restrictions on Marketing and Fundraising Activities
• Enhanced Patient Rights on Access and Restricting Disclosures to
Health Plans
• Modify the Notice of Privacy Practices
• Modify the Authorization process
• Expands Direct Enforcement of HIPAA Requirements and Penalties
to Business Associates
4. HIPAA Omnibus Rule Purposes
4
2. Adopt changes to the Enforcement Rule (Proposed
October 2009)
• New Tiered Civil Monetary Penalties Standards
• Increased Monetary Penalties
3. Modifies the Breach Notification for Unsecured Protected
Health Information by replacing the breach notification
rule‘s ‗‗harm‘‘ threshold with a more objective standard.
(Proposed Rule August 2009 –supplanted)
4. Modifies HIPAA to conform with Genetic Information
Nondiscrimination Act
5. Important Dates and Laws
5
1. HIPAA – Privacy Rule Effective on April 14, 2003
Security Rule Effective on April 20, 2005
2. HITECH signed February 17, 2009
• Interim Final Rule on Breach of Unsecured PHI– August 24, 2009
and effective on September 23, 2009
• Interim Final Rule on Civil Monetary Penalty—October 30, 2009
and effective on November 30, 2009
• Proposed Rule on July 14, 2010
3. GINA 2008 – Proposed Rule to address HIPAA on
October 7, 2009
6. Effective Dates
6
Final Rule Provisions:
Final Rule Effective on March 26, 2013
Compliance Deadline September 23, 2013 (for
Privacy and Security)
Business Associates flexible compliance date
standards
Transition provisions permit time to address
documents and practices to establish compliance
7. Security Risk Assessment
7
Ensure the full Risk Assessment has been completed
- Administrative
- Physical
- Technical Safeguards
This is part of the Meaningful Use Requirements
8. Security Breach Notification
8
• Old standard: Notification required where ―significant risk of financial,
reputational, or other harm to individual‖. Burden was on CE or BA
to show there was no significant risk.
• New standard: Subject to certain existing exceptions, any access,
use or disclosure of unsecured PHI in violation of Privacy Rule is
presumed a breach unless demonstrate low probability that PHI has
been compromised based on risk assessment involving at least the
following factors:
– Nature and extent of PHI involved, including types of identifiers and likelihood of
re-identification
– Unauthorized person who used the PHI or to whom disclosure was made
– Whether PHI was actually acquired or viewed
– Extent to which risk to PHI has been mitigated
• Rule also eliminates exception for limited data sets that do not
contain dates of birth or zip codes.
9. Common Violations
9
Of the 90,000 complaints investigated most are, compiled
cumulatively, in order of frequency:
Impermissible uses and disclosures of protected health
information;
Lack of safeguards of protected health information;
Lack of patient access to their protected health information;
Uses or disclosures of more than the minimum necessary
protected health information; and
Lack of administrative safeguards of electronic protected
health information.
10. Most Common Violators
10
The most common types of covered entities that have been
required to take corrective action to achieve voluntary
compliance are, in order of frequency:
PRIVATE PRACTICES;
General Hospitals;
Outpatient Facilities;
Health Plans (group health plans and health insurance
issuers); and,
Pharmacies.
11. Enforcement Activities
11
Adult & Pediatric Dermatology, P.C., of Concord,
Massachusetts (APDerm) -$150,000.00
Affinity Health Plan, Inc. will settle potential violations of the
Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy and Security Rules for $1,215,780.
WellPoint Inc. has agreed to pay the U.S. Department of
Health and Human Services $1.7 million to settle potential
violations of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) Privacy and Security Rules
12. Major Steps to Take Now
12
• Evaluate BA and subcontractor status
• Evaluate BA and subcontractor agreements for compliance and
amend as appropriate
• Evaluate whether BAs and subcontractors are federal common law
agents
• Review Security Rule compliance
• Implement BA policies and procedures as appropriate—for example,
minimum necessary
• Amend security breach policies and procedures appropriately
• Ensure the Security Risk Assessment and policies are completed
and in effect