New HIPAA Rules In The Wings - Are You Ready?
Open Minds June 19, 2012
Developed by OPEN MINDS, 163 York Street, Gettysburg PA 17325, www.openminds.com. All rights reserved.
In March 2012, the U.S. Office of Management and Budget (OMB) accepted for review the final changes to the Health Insurance Portability and Accountability Act (HIPAA) that were created by the Health Insurance Technology for Economic and Clinical Health Act (HITECH) premium members. The "HIPAA Omnibus Rule" as it is now called, is expected to be finalized and published to the Federal Register sometime later this summer and contains key provisions that executives of health and human service organizations should note and incorporate into their HIPAA compliance program. Some of these anticipated changes include:
Business associates - The rule looks to expand the definition of "business associates" (including health information exchanges/organizations, electronic prescription portals, and vendors) and to hold all entities liable for privacy breaches.
Breach notification - The rule requires covered entities and their business associates to provide notification when a breach of protected health information occurs. There is a specified protocol that includes notifying the press when a breach affects a certain number of patients.
Enforcement and compliance - The HIPAA Security Rule originally went into effect in 2005, yet most organizations are still non-compliant. The Office of Civil Rights (OCR) has begun to enforce this rule and the new omnibus ruling is expected to mandate very serious consequences for covered entities who do not demonstrate protection of electronic health information. Additionally, the final rule will look to limit (or in some cases prohibit) the use of protected health information in marketing campaigns and the sale of protected health information.
Policy and procedure documentation - The new rule places heavy emphasis on a covered entity's policies and procedures. This is a very comprehensive component covering electronic health records, security and user access, organizational policies, staff training, and notification processes.
Expanded individual right to access information - This portion of the rule will expand consumers' rights to access their personal and protected information, as well as to provide full discloser of who else has access to that information.
Genetic Information Nondiscrimination Act - This proposed section of the rule prohibits group health plans and health insurers from denying coverage to a healthy individual or charging higher premiums based solely on a genetic predisposition to a disease.
All told, there are approximately 18 new standards to the security rule, with 35 different specifications that are awaiting the OMB's approval. Many of the suggested changes to HIPAA have already been put into place in many organizations, with the OCR already beginning to levy hefty fines against organizations not complying (see Ten Tactics to Avoid Penalties for Health Information Privacy & Security Breaches premium members).
Will you be ready for this new rule? Stay tuned for our continued coverage of this pressing privacy issue.
Lisette Wright, M.A.
Senior Associate, OPEN MINDS