I know you thought that all your HIPAA policies and procedures were in place and that you were finished with learning about how this law affects you. I am sorry to say that you were wrong.
The four rules that combine to create the omnibus final rule include:
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
- Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
- A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.
- A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.
Ascertaining the impact of this Omnibus rule could be a while in the making, but HIPAA commentators have begun their assessments. I will be attending a webinar hosted by IDExperts on February 6 in an attempt to start to understand just what has been changed and to try to get an idea about how that affects us and our customers.
On January 30, FierceHealthIT indicated that providers must attend to at least four areas:
Monetary penalties aside, four areas of the rule that will have a significant impact on providers are:
- A change that makes business associates and their subcontractors liable for breaches of personal health information
- An enhanced right for patients to obtain electronic copies of their records
- An enhanced right for individuals to request restrictions regarding disclosure of their PHI
- A change to the breach notification rule in which any disclosure of PHI is presumed to be a breach
That fourth area, the breach notification rule, is one that could affect anyone who handles PHI. Any disclosure of PHI is presumed to be a breach.
When the Interim Final Rule was released in 2009, the notion of assessing whether any significant “harm” had occurred to those whose data had been lost or viewed inappropriately was introduced. David Harlow, author of HealthBlawg discussed the current change in FierceHealthIT. The bottom line for Mr. Harlow is this:
… the default assumption is that any irregular release of PHI is a breach, with no subjective standard of harm getting in the way. The covered entity or business associate unfortunate enough to have suffered this breach may either (a) immediately acknowledge that it is, in fact, a breach, and rev up the notification machinery (notice to data subjects, the federales–possibly for posting on the Wall of Shame–and the press, as appropriate, based on the size of the breach) or (b) decide that a risk assessment is necessary, and begin its assessment of at least the four factors highlighted in the regulation.
Read more: Uncertainties surround new HIPAA breach notification rule – FierceHealthIThttp://www.fiercehealthit.com/story/guest-commentary-uncertainties-surround-new-hipaa-breach-notification-rule/2013-01-29#ixzz2JZiJrwSa
What impact will this have on you and your organization? If you allow PHI to be released contrary to your policies and to the law, how will you proceed? Do you know? Who is your Privacy Officer? Do they know?
Time to wake up the HIPAA education machinery again! …or for the first time if you do not have such machinery in place.