In order to comply with the Omnibus Rule, organizations must
update their internal privacy policies to reflect the changes to the HIPAA
Privacy Rule, Security Rule, and Breach Notification Rule. Here is a quick summary of those changes:
Release of Decedents’ PHI.
Under the Omnibus Rule, the definition of “protected health
information” now expressly excludes the health information of a person who has
been deceased for more than 50 years. In addition, the Omnibus Rule provides
that providers may disclose the PHI of a deceased person to such person’s
family members, relatives or other individuals indicated by the deceased, who
were involved either in the deceased’s care or the payment of care. Providers
may disclose only PHI that is relevant to the family member, relative, or
friend’s involvement in the deceased’s care. PHI cannot be disclosed if the
deceased person expressed a prior preference for it not to be disclosed.
Patient rights to limit disclosures. Under the Omnibus Rule,
your organization must comply with a patient’s request that PHI regarding a
specific health care item or service not be disclosed to a health plan for
purposes of payment or health care operations if the patient paid
out-of-pocket, in full, for that item or service.
Providing electronic copies of medical records. Providers must comply with a patient’s request
for an electronic copy of his or her PHI if the records are maintained in an
electronic format and are readily producible in the requested format.
Changes The Breach Notification Standards.
The Omnibus Rule changed the standard for determining
whether a breach of unsecured PHI has occurred, and what steps the provider
must follow. In essence, your internal
policies must reflect how you will respond to a potential breach and must be
spelled out more completely and the requirements are now tighter. Once the new
standards are reflected into your policies, you should no longer use your previous
breach standard, even for breaches that occured prior to the Omnibus Rule’s
compliance deadline.
Marketing and sale of PHI.
Under the Omnibus Rule, the marketing or sale of products
based upon patient PHI is generally prohibited. Generally these prohibitions don’t
apply if your organization has received valid authorization from the
patient. Organizations must also ensure
that any definitions of “marketing” and “sale of PHI” in their policies complies
with the revised definitions and standards under the Omnibus Rule.
HHS has posted on its website the audit protocol derived
from the recently completed audit pilot program. The audit protocol provides a
helpful list of the items that an auditor will review when assessing whether a
covered entity is in compliance with HIPAA.
After the policies are finalized, your organization should
formally adopt and approve the policies in accordance with any procedural
requirements in your governing documents or standard operating procedures.
Staff Training Requirements.
Any time your organization updates its privacy policies,
workforce members should receive training on any new and revised policies. In
particular, management and higher-level employees should be fully trained on
the new breach standards.
Training is important component of compliance with HIPAA and
the HITECH Act. Security training should be documented and maintained in your
event training logs. Program details may be requested during an audit or
investigation.
Changes to Notice of Privacy Practices.
The Omnibus Rule modifies and expands the content of the
notice of privacy practices (NPP) that a provider is required to maintain and
distribute to its patients. A covered
entity must:
Are you unsure of your status on HIPAA Compliance? Contact ACT for a FREE consultation and review of your readiness at (847) 639-7000 or by e-mail at support@act4networks.com
- Make their NPP available to patients who request a copy on or after the effective date of any revisions.
- Must post the revised notice on its website, if applicable.
- Must post the notice in a prominent location on its premises.
- New patients who receive services for the first time after modification of an NPP should be provided with a copy of the revised NPP.
Also remember that covered entities should always retain
copies of previous versions of their NPPs and of any written acknowledgements
by patients of receipt of NPPs.
Changes to Business Associate Agreements.
There have been changes to the Business Associate Agreement
(BAA) document requirements. Omnibus has
changed the definition of a “Business Associate” and now includes subcontractors
of business associates that deal with PHI.
Covered entities are not required to enter into BAAs with downstream
subcontractors. Rather, the business associate who contracts with the
subcontractor must enter into a BAA with the subcontractor and you should
require proof of compliance.
Are you unsure of your status on HIPAA Compliance? Contact ACT for a FREE consultation and review of your readiness at (847) 639-7000 or by e-mail at support@act4networks.com
No comments:
Post a Comment