Highlights of HIPAA Privacy and Security Omnibus Bill Released on January 17, 2013

Carolyn Hartley, President, CEO, Physicians EHR

Late Thursday afternoon (1/17/13) HHS released the long awaited HIPAA privacy and security measures that provide individuals new rights to their health information and also add more teeth in the government’s ability to vigorously enforce privacy, security.

While health care providers have primarily been the target of privacy and security regulations, the Omnibus rule (so called because of the sweeping changes), focuses on business associations and relieves some burden from covered entities by making business associates directly liable for compliance with some HIPAA Privacy and Security rule requirements.

The newly released rules are divided into four final rules:

1. Final modifications to HIPAA Privacy, Security and Enforcement Rules embedded in the HITECH Act
2. Final rule enforcing tiered civil monetary penalties
3. Breach Notification Rule
4. Non-discrimination against consumers/patients with genetic information, and prevents health plans from discrimination for underwriting purposes.

A quick overview of what these HIPAA privacy and security measures means to providers:

• Covered entities will most likely need to revise and distribute new notice of privacy practices informing individuals of their rights and how information is protected, a process affecting approximately 700,000 covered entities.
• Business associates must bring subcontracts with covered entities into compliance – details to come in another posting.
• Patients can restrict disclosures to a health plan if they pay in full for treatment. This right will undoubtedly cause plenty of discussions.
• Allow families access to decedent family member’s health information.
• Expanded patient rights to receive electronic copies of their health information
• Final rule enforcing tiered penalties provided in the HITECH Act.
• Final rule on Breach Notification Rule with new thresholds defining “harm.”

Business Associates are now directly liable for:

• impermissible uses and disclosures
• failure to provide breach notification to the covered entity
• failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee
• failure to disclose protected health information where required by the Secretary to investigate or determine
• failure to provide an accounting of disclosures
• failure to comply with Security Rule requirements
• [§ 164.502(a)(3), § 164.410, and § 164.502(a)(4)(ii)]
• In a proposed rule, Business Associates also are subject to the Minimum Necessary Rule.

The cost to implement HIPAA 2013 is expected to range from $115 million to $225.4 million in the first year; with subsequent years at about $14.5 million.

More to come as we dive into this 563 page update.

Carolyn P. Hartley serves as provider/clinic advocate managing the health IT implementation process. Most recently, she and her team of EHR project managers have been called upon to diagnose and rescue implementations for oncologists, nephrologists, neurologists and community health centers in 23 states. Carolyn also serves as contracted EHR technical facilitator to national and state medical societies. She is lead author of 15 books focused on health IT adoption. Two of her 2011 AMA bestselling books include EHR Implementation: A Step by Step Guide for the Medical Practice, 2nd Edition, and HIPAA Plain & Simple, 2nd Edition.