So, you missed the HIPAA Omnibus Rule deadline. Now what?

Next week marks two months since the deadline passed for compliance with the new HIPAA Omnibus Rule, and I thought it'd be a good time to check in to see how you're progressing.

Everyone has everything buttoned up, right? Ready for an audit? No, not exactly? Well, then, you better get moving - as you could face harsh fines of up to $50,000 per violation, with additional penalties based on negligence levels.

First, a primer: If you're not familiar with the Omnibus Rule, it was announced in January by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights and sets forth requirements for every organization that deals with protected health information, commonly known as PHI. No longer is the burden for HIPAA privacy and security placed solely on covered entities, such as doctor's offices and hospitals, but is now extended to their business associates, such as billing providers or claims processors.

And that's a big deal, considering 58 percent of health care breaches - and some of the largest ones that have been publicly reported - are the fault of third-parties, according to the nonprofit Health Information Trust Alliance (HITRUST).

The Omnibus Rule officially took effect in March, but covered entities, business associates and business associates' subcontractors were given a 180-day grace period to comply with the new requirements. That date came and passed on Sept. 23.

omnibus4.jpg

Pilot audits already are underway, but now that the deadline has passed, more targeted audits were expected to begin in late October. If an organization that handles sensitive patient information is found to be out of compliance with the rule, they could face steep fines.

The Omnibus Rule - which implements the various provisions enacted by the Health Information Technology for Economic and Clinical Health Act (HITECH) - was designed to give HIPAA more "teeth" by increasing privacy protection requirements, providing patients with new rights to their health information and bolstering federal enforcement abilities.

The actual rule is no light read. Including comments by the Office of Civil Rights, the rule checks in at 563 pages long.

But, instead of parsing through the law itself, allow me to highlight some of the notable changes. The following is not a comprehensive list of all modifications to the law, but underscores some key considerations for patients and any organization handling PHI.

For Covered Entities, Business Associates and Subcontractors

  1. New definitions of business associates and subcontractors mean they may now be held directly liable for HIPAA compliance, making updated agreements between these businesses - covered entity with business associate and business associate with subcontractor - more indispensable than ever.
  2. Enforcement capabilities have been enhanced for HIPAA violations due to "willful neglect."
  3. A tiered civil money penalty structure increases potential fines.
  4. Covered entities must revise and redistribute Notice of Privacy Practices (NPP) to patients to reflect Omnibus changes.
  5. The "harm threshold" triggering breach notification requirements is replaced by new objective considerations.
  6. All covered entities, business associates and subcontractors must select a security official to be responsible for HIPAA, and their responsibilities must be assigned and documented.

For Patients

  1. Limitations have been strengthened on the use and disclosure of protected health information (PHI) for marketing and fundraising.
  2. The sale of PHI is prohibited without individual authorization.
  3. Individuals now have the right to request, and receive, electronic copies of their health information
  4. Requirements for PHI use and disclosure authorization have been modified to facilitate research and disclosure of child immunization proof to schools, and to enable access by family members to information of deceased relatives.
  5. The Office of Civil Rights, as part of HHS, and state attorneys general can pursue civil and criminal cases against covered entities, business associates and their individual employees.


In summary, the expansion of patient rights and broader liability for violations each translate into an increased burden on organizations that handle PHI. 

It is covered entities, business associates and subcontractors that must manage the appropriate use and disclosure of information. And in the case of improper use and disclosure, it is covered entities, business associates and subcontractors that are held responsible for misconduct.

HIPAA has come a long way since its inception in 1996, and it's finally got some serious teeth now. HIPAA came to be as part of an effort to ensure businesses allow individuals to maintain insurance coverage when changing jobs.

Seventeen years later, in addition to insurance portability, HIPAA regulates how PHI is handled to make sure those who should - and only those who should - actually have access to their information.  

If you have any questions about HIPAA rules, drop me a line at cdbrown@trustwave.com and I'll be happy to get back to you.

Good luck!

Christoffer Brown is a solutions development specialist on the Compliance and Risk team at Trustwave.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.