The HIPAA Omnibus Rule was published in the Federal Register, which created the final modifications to the HIPAA privacy and security rule. The Omnibus Rule also created changes for enforcement and breach notification rules
What is the HIPAA Final Omnibus Rule?
On January 17th, 2013 HIPAA and HITECH regulations became subject to a 500 page overhaul of the rules and regulations known collectively as the Final Omnibus Rule. This Omnibus Rule went into effect for healthcare providers on March 26, 2013.
This omnibus final rule is comprised of the following four final rules:
- Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010. The modifications are listed below:
- Make Business Associates of Covered Entities directly liable for compliance with certain HIPAA Privacy and Security Rules' requirements.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2.Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
3.Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and replaces an interim final rule published on August 24, 2009.
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009."
What Constitutes a Data Breach?
For the purposes of HIPAA/HITECH, a breach is defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. Any impermissible use or disclosure of PHI is considered a breach unless the covered entity or business associate can prove there is a low probability that the PHI has been compromised based on a risk assessment including:
- The nature and extent of the PHI involved
- Likelihood of re-identification
- Who made use of or disclosed the PHI
- Whether the PHI was actually accessed or viewed
- The extent to which the risk of PHI has been mitigated
There are three exceptions to the definition of a breach:
- Unintentional and good faith access or acquisition of PHI during the course of business by an authorized employee
- Unintentional disclosure of PHI by an authorized person
- Good faith belief that an unauthorized person to whom PHI was disclosed would be unable to retain the information.
Breach Notification Rules
HIPAA/HITECH includes specific provisions for data breach notification. These requirements are as follows:
Individual Notice: Covered entities must notify affected individuals following discovery of a breach of unsecured PHI. Individual notice must be provided by first-class mail, or email if the individual has accepted such notices electronically. If a covered entity has out-of-date or insufficient contact information for 10 or more individuals, public notice of the breach must be provided on the home page of their website for at least 90 days, or by providing the notice to major print and broadcast media where the individuals likely reside.
Media Notice: In the event that a breach affects more than 500 residents of a State or jurisdiction, in addition to individual notification, the covered entity must issue a press release announcing the data breach to media outlets serving the affected area.
Notice to the Secretary: In addition to individual and media notification (where applicable) covered entities must notify the Secretary of the Department of Health and Human Services of breaches of unsecured PHI.