Datica Blog

3 HIPAA Omnibus Rule Essentials for IT/Security

Mohan Balachandran

Mohan Balachandran

Co-Founder

October 30, 2015   HIPAA Company

In 2013, the Office of Civil Rights began enforcing a new set of regulations intending to improve patients’ access to their medical records and increase security to protected health information. Called the HIPAA Omnibus Rules, these litigations have forced healthcare organizations and their business associates to scrutinize how they store and transmit patient data. Changes included vary from new rules for deceased patients to how providers market third party services, but here are three need-to-knows for the healthcare IT professional.

Business Associates must provide proof of compliance to Covered Entities

According to the HIPAA Omnibus Rule, covered entities must ensure that their business associates are instituting proper compliance efforts. This is formerly referred to as “satisfactory assurance” and covered entities must receive this to assure that protected health information managed by business associates is meeting the security and privacy protection requirements of the Omnibus Rules, as well as HIPAA and HITECH. So not only must business associates be compliant, but they must provide documentation other sources of information to prove compliance, which has always been the most difficult part of HIPAA.

No penalty caps

Under the HIPAA Omnibus Rule, certain clarity has been brought to penalties for violations. Although the actual Omnibus Rule seems to be silent on the subject, HITECH seemed to put a cap on the total fines that could be assessed, but the Omnibus Rule does provide new language to revise HITECH’s penalty cap. It is stated in the addendum that there can be civil penalties up to $1.5 million for all identical HIPAA violations in a year. Both covered entities and business associates, can receive further penalties if willful neglect is at play. There can also be additional forfeits if these violations are not identical for up to another $1.5 million per non-identical violation.

Data breaches are assumed with PHI disclosure

Prior to the HIPAA Omnibus Rules, when covered entities and business associates had sensible supposition that any unseemly disclosed PHI had not been accessed, then that was it, no further investigation or reporting had to be done. Now, under the Omnibus Rule, the disclosure of PHI is automatically assumed to be a data breach. “Innocent until proven guilty” no longer applies. The covered entity or business associate will now need to show that there is a very slim chance that the PHI has been undermined. Now organizations must prove their innocence rather than it being assumed. These instances will always be included in proper HIPAA compliance documentation as retaining investigation proof is a mandated process.

Check out these other articles to brush up on what you need to know about HIPAA:

  1. Fifty States of HIPAA
  2. What is the cost of a HIPAA audit?
  3. Beware of HIPAA Ready Vendors!

Earlier

SocialWellth and Health123 Advance Opportunities in Value-based Care

$125 billion is wasted every year on nearly one billion doctors’ visits that Americans take that could simply be solved with a bit of education. The efforts to solve this problem is rapidly becoming the fastest growing market in healthcare. It’s a race that’s promoted by the massive shift in the healthcare industry’s economics, mandated by the Affordable Care Act, also known as Obamacare.

Next Post

Why Interoperability?

Innovation is critically fundamental to healthcare, helping to improve the quality of patient care and enhance workflows. Despite that, a rudimentary cultural change is needed across the industry to fully embrace innovation. This incorporation will create collaborations to polish present processes with a patient-centric mindset. However, the difficulty of achieving interoperability still remains the bottleneck that is hindering real breakthroughs.