In 2013, the Office of Civil Rights began enforcing a new set of regulations intending to improve patients’ access to their medical records and increase security to protected health information. Called the HIPAA Omnibus Rules, these litigations have forced healthcare organizations and their business associates to scrutinize how they store and transmit patient data. Changes included vary from new rules for deceased patients to how providers market third party services, but here are three need-to-knows for the healthcare IT professional.
Business Associates must provide proof of compliance to Covered Entities
According to the HIPAA Omnibus Rule, covered entities must ensure that their business associates are instituting proper compliance efforts. This is formerly referred to as “satisfactory assurance” and covered entities must receive this to assure that protected health information managed by business associates is meeting the security and privacy protection requirements of the Omnibus Rules, as well as HIPAA and HITECH. So not only must business associates be compliant, but they must provide documentation other sources of information to prove compliance, which has always been the most difficult part of HIPAA.
No penalty caps
Under the HIPAA Omnibus Rule, certain clarity has been brought to penalties for violations. Although the actual Omnibus Rule seems to be silent on the subject, HITECH seemed to put a cap on the total fines that could be assessed, but the Omnibus Rule does provide new language to revise HITECH’s penalty cap. It is stated in the addendum that there can be civil penalties up to $1.5 million for all identical HIPAA violations in a year. Both covered entities and business associates, can receive further penalties if willful neglect is at play. There can also be additional forfeits if these violations are not identical for up to another $1.5 million per non-identical violation.
Data breaches are assumed with PHI disclosure
Prior to the HIPAA Omnibus Rules, when covered entities and business associates had sensible supposition that any unseemly disclosed PHI had not been accessed, then that was it, no further investigation or reporting had to be done. Now, under the Omnibus Rule, the disclosure of PHI is automatically assumed to be a data breach. “Innocent until proven guilty” no longer applies. The covered entity or business associate will now need to show that there is a very slim chance that the PHI has been undermined. Now organizations must prove their innocence rather than it being assumed. These instances will always be included in proper HIPAA compliance documentation as retaining investigation proof is a mandated process.
Check out these other articles to brush up on what you need to know about HIPAA: