In order to comply with the Omnibus Rule, organizations must update their internal privacy policies to reflect the changes to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Here is a quick summary of those changes:
Release of Decedents’ PHI.
Under the Omnibus Rule, the definition of “protected health information” now expressly excludes the health information of a person who has been deceased for more than 50 years. In addition, the Omnibus Rule provides that providers may disclose the PHI of a deceased person to such person’s family members, relatives or other individuals indicated by the deceased, who were involved either in the deceased’s care or the payment of care. Providers may disclose only PHI that is relevant to the family member, relative, or friend’s involvement in the deceased’s care. PHI cannot be disclosed if the deceased person expressed a prior preference for it not to be disclosed.
Patient rights to limit disclosures. Under the Omnibus Rule, your organization must comply with a patient’s request that PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations if the patient paid out-of-pocket, in full, for that item or service.
Providing electronic copies of medical records. Providers must comply with a patient’s request for an electronic copy of his or her PHI if the records are maintained in an electronic format and are readily producible in the requested format.
Changes The Breach Notification Standards.
The Omnibus Rule changed the standard for determining whether a breach of unsecured PHI has occurred, and what steps the provider must follow. In essence, your internal policies must reflect how you will respond to a potential breach and must be spelled out more completely and the requirements are now tighter. Once the new standards are reflected into your policies, you should no longer use your previous breach standard, even for breaches that occured prior to the Omnibus Rule’s compliance deadline.
Marketing and sale of PHI.
Under the Omnibus Rule, the marketing or sale of products based upon patient PHI is generally prohibited. Generally these prohibitions don’t apply if your organization has received valid authorization from the patient. Organizations must also ensure that any definitions of “marketing” and “sale of PHI” in their policies complies with the revised definitions and standards under the Omnibus Rule.
HHS has posted on its website the audit protocol derived from the recently completed audit pilot program. The audit protocol provides a helpful list of the items that an auditor will review when assessing whether a covered entity is in compliance with HIPAA.
After the policies are finalized, your organization should formally adopt and approve the policies in accordance with any procedural requirements in your governing documents or standard operating procedures.
Staff Training Requirements.
Any time your organization updates its privacy policies, workforce members should receive training on any new and revised policies. In particular, management and higher-level employees should be fully trained on the new breach standards.
Training is important component of compliance with HIPAA and the HITECH Act. Security training should be documented and maintained in your event training logs. Program details may be requested during an audit or investigation.
Changes to Notice of Privacy Practices.
The Omnibus Rule modifies and expands the content of the notice of privacy practices (NPP) that a provider is required to maintain and distribute to its patients. A covered entity must:
Are you unsure of your status on HIPAA Compliance? Contact ACT for a FREE consultation and review of your readiness at (847) 639-7000 or by e-mail at support@act4networks.com
- Make their NPP available to patients who request a copy on or after the effective date of any revisions.
- Must post the revised notice on its website, if applicable.
- Must post the notice in a prominent location on its premises.
- New patients who receive services for the first time after modification of an NPP should be provided with a copy of the revised NPP.
Also remember that covered entities should always retain copies of previous versions of their NPPs and of any written acknowledgements by patients of receipt of NPPs.
Changes to Business Associate Agreements.
There have been changes to the Business Associate Agreement (BAA) document requirements. Omnibus has changed the definition of a “Business Associate” and now includes subcontractors of business associates that deal with PHI. Covered entities are not required to enter into BAAs with downstream subcontractors. Rather, the business associate who contracts with the subcontractor must enter into a BAA with the subcontractor and you should require proof of compliance.
Are you unsure of your status on HIPAA Compliance? Contact ACT for a FREE consultation and review of your readiness at (847) 639-7000 or by e-mail at support@act4networks.com
0 comments:
Post a Comment