HIPAA Omnibus Applies to Business Associates and Sub Contractors

On March 24, 2012 the Office of Civil Rights (OCR) sent the final HIPAA Omnibus Rule to the Office of Management and Budget for review before publication in the Federal Register. At last week’s Health Privacy Summit in DC, ONC Farzad Mostashari announced in his keynote address that the final HIPAA Omnibus Rule is expected late this summer.

The omnibus enforces HIPAA privacy, security and breach notification rules and combines four previous separate rules:

• Breach Notifications IFR
• Enforcement and Compliance IFR
• Genetic Information Non-discrimination Act NPRM
• HITECH Act Privacy and SecurityEnforcement NPRM

The HIPAA omnibus also extends liability to business associates and subcontractors, a key provision in the proposed rules.

As reported by Health Data Management in his keynote Mostashari emphasized ONC’s priority to expand adoption of electronic health records and with that comes the need to extend trust in the exchange of health data. “You can’t get information exchange unless there’s trust. We can’t get a learning health system unless there’s trust.”

The ONC’s Office of the Chief Privacy Officer (OCPO) has released a guide for providers and their staff to help understand privacy and security when it comes to electronic health records (EHRs) and meaningful use. “Guide to Privacy and Security of Health Information” is a comprehensive tool assisting professionals in integrating privacy and security into their practices. The guide includes information on:

• Privacy & Security and Meaningful Use
• Security Risk Analysis and Management Tips
• Working with EHR and Health IT Vendors
• A Privacy & Security 10-Step Plan
• Health IT Privacy and Security Resources

For additional information on HIPAA-HITECH, you can download Preparing for HIPAA Security Rule Again; now, with Teeth from the HITECH Act, a white paper that looks at how the HITECH Act significantly modified and strengthened many aspects of the HIPAA Security Rule.