The Omnibus HIPAA affects healthcare organizations in three ways: privacy, security, and breach standard and notification; not to mention the HIPAA enforcement rule which applies the increased tiered civil monetary penalty structure of the HITECH Act.
The new standards put more pressure on healthcare facilities and their information security planning. Executives and CIOs need to ensure they have secure networks, that their partners are in compliance with HIPAA and that patients can have access to their PHI, while providing top privacy.
A quick look at some of the changes that come with Omnibus HIPAA can give a better idea of what is expected from healthcare providers.
Privacy
The new privacy policy includes: revising the breach standard; distribution requirement for privacy notices; the prohibition on use of genetic information; electronic PHI access rights to all individuals; and timeframes for responding to a request for access. All these revisions have the purpose of ensuring patient information privacy rights and timely access to their PHI.
Security
In order to improve information security the Omnibus HIPAA has included revisions to business associate agreements. Associates must comply with all the HIPAA security rules; report any breaches of unsecured PHI; enter a written business associate agreement with subcontractors; and also, comply with the HIPAA privacy rules. The Final Rule also expands the definition of business associates to include any entity that maintains PHI, like data storage vendors.
Breach Standard and Notification
The new breach standard implies that breaches occur when the security and/or privacy of the PHI have been compromised. No longer does the acquisition of PHI have to pose a meaningful threat to be considered a breach; but rather, a breach happens with an acquisition, gaining access to, the use of or disclosure of PHI in violation of HIPAA privacy rules. Add to the new breach standard the notification requirement on healthcare providers, which implies notifying individuals, HHS and sometimes even the media if a breach occurs.
The new HIPAA standards increase sensitive data security and individual privacy, but they also increase the efforts healthcare organizations must take towards their information security measures so that they may ensure compliance and pass audits.
- Both standard and notification practices imply the need for a reliable network to safeguard and secure the transfer of data, but also the need to train staff on privacy rules and how to avoid information security breach.
- Risk assessments and information security plans, accompanied by expert advice on what steps to take to meet all HIPAA requirements are also helpful solutions.
Preparedness and prevention through a secure network, the training of staff, setting up regular scans, and working alongside a trustworthy information security company are fundamental to help ensure Omnibus HIPAA compliance and to maintain optimal business performance. Healthcare facilities also gain the benefit of saving money from penalties and breaches that could otherwise take place when the correct measures aren’t taken.
The Omnibus HIPAA became effective in March and healthcare organizations must meet compliance by September 23, 2013. Decision makers should highly consider their options due to the magnitude of what they must implement with Omnibus HIPAA and take action as soon as possible.