HOW TO SURVIVE HIPAA’s NEW OMNIBUS RULEHIPAA Omnibus Change Ahead
The HIPAA Omnibus Rule compliance deadline is coming up soon! The new rule will affect medical practices and their business associates.
How can you survive this new rule and its sweeping changes?
First, know the facts. Read the information below, which covers the basics of the new rule. Second, learn how the new rule will affect your medical practice by attending one of our upcoming FREE webinars. Click here or scroll down to register.
HIPAA Omnibus Rule – The Basics
Enforcement of the HIPAA Omnibus rule begins September 23, 2013. Most of the HITECH Act pertaining to HIPAA will be officially enforced by the Office of Civil Rights.
The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS by a covered entity.
Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
What is a covered entity?
A Health Care Provider
Includes: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies
A Health Plan
Includes: health insurance companies, HMOs, company health plans, government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs).
A Health Care Clearing House
This includes entities that process nonstandard health information they receive from another entity (i.e., standard electronic format or data content), or vice versa.
What is a business associate?
Business associates deal directly with practices, creating, storing, manipulating, or transmitting protected health information. They are now under the HIPAA regulations themselves, which means they are subject to inspections and fines.
Subcontractors in this context work with the business associates who work with covered entities (practices), but they are not directly under the HIPAA regulations and are not at this time subject to HIPAA inspections and fines.
What must a covered entity do as of September 23, 2013?
Allow patients to request a restriction of information to their insurance company if they pay for a service or item with no involvement by insurance. While the patient may use a medical savings account to pay for the service, they may not restrict the information to one insurance company but submit a claim to another company for the same service or item.
Follow very strict guidelines to notify patients if there is a breach of protected health information and, if more than 5 patients were affected, notify the Secretary of Health and Human Services as well.
Include both of the above new requirements in a new Notice of Privacy Practices, which must be displayed in the practice, posted on the practice’s website, offered to all new patients, and made available to anyone who may request it, including established patients who have already signed an acknowledgement form.
If you have questions about this topic or any other issues around the business of medicine, contact us via email or call us at 800-635-4040.