Why the Omnibus Rule (The Final Rule)
Are You Ready?
An article by Judith Lindsay
Published Date: June 29, 2014
The Office for Civil Rights of the U.S. Department of Health & Human Services (OCR) published the anticipated final omnibus rule (The Final Rule) on January 26, 2013. This rule forever changed the way any medical provider or contractor who deals with Private Health Information (PHI) or electronic Private Health Information (ePHI) does business. The regulatory compliance landscape is complex and ambiguous.
This rule created significant changes in the Privacy, Security, Breach Notification, and Enforcement Rules under the Health Information Portability and Accountability Act of 1998 (HIPAA), many of which are required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule also implements changes to the Genetic Information Nondiscrimination Act of 2008.
With these sweeping changes, the Final Rule is extensive and enhances OCR’s ability to enforce HIPAA. The OCR Director Leon Rodriquez stated in the press release “individuals and entities affected by the Final Rule must comply with most of its provisions by September 23, 2013.
Why all the changes? In looking at HIPAA & Breach Enforcement Statistics for June 2014 which is produced by Health Information Privacy/Security Alert and published by Melamedia, LLC, it shows that there were 992 reported breaches involving 500 or more patients. These incidents affected over 786,649 patients according to the latest analysis from the HIP/SA of the OCR data from April 18, 2014 through May 17, 2014. More than 31,423,111 patients have been affected since they have been documenting these breaches. The Business Associate (BA) accounts for over one third of the breaches documented.
Combine that data with the 2006 numbers from the Centers for Disease Control and Prevention (CDC). Over 1.1 billion patients visited a physician, emergency room or hospital in 2006, a rise of 26% from 1996 to 2006. That is an average of 4 medical visits per year. At the same time the US population grew only 11%. In addition, 7 in 10 medical visits resulted in one medication being provided, prescribed or continued for a total of 2.6 billion drugs overall.
Recently a large medical billing company in California received a file from one of their clients. The physician’s electronic file contained malware (malicious software). The billing companies’ practice was to receive the billing file electronically and then to send the data back to the medical provider in the same manner. This one infected file resulted in the entire group of physicians being in breach. Another example happened in the Phoenix area. A large group of dentists had a breach from a malware file; the fines and penalties were crushing, resulting in a bankruptcy filing.
The provisions in the HITECH Act require the U.S. Department of Health and Human Services (HHS) to undertake periodic audits of covered entities and business associates for compliance with the HIPAA privacy rule, security rule, and breach notification.
A covered entity is considered a physician, clinic, psychologist, dentist, chiropractor, nursing home, pharmacy and information transmitted in an electronic form with a transaction for which HHS had adopted a standard. The functions a business associate may include claims processing, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and practice management. The services may be legal, accounting, consulting, data aggregation, management, administrative accreditation, and financial.
The Final Rule delays compliance until September 22, 2014 for a covered entity or business associate to enter into a business associate agreement with a business associate or subcontractor if, prior to January 25, 2013, the covered entity or business associate had a business associate agreement with the business associate or subcontractor, as applicable, that complied with HIPAA prior to the Final Rule (unless the business associate agreement was modified or actively renewed between March 26, 2013 and September 23, 2013). In all other cases, covered entities and business associates will need to execute business associate agreements with their business associates and subcontractors no later than September 23, 2013.
The recent findings of the OCR program showed the majority of PHI, which refers to individually identifiable health information, is that which can be linked to a particular person. Those were: names; geographic identifiers; dates directly related to an individual; telephone or fax numbers; social security numbers; medical record numbers; health insurance beneficiary numbers; patient account numbers; vehicle identifiers and serial numbers, including license plate numbers, devise identifiers, and serial numbers; URL and IP addresses; biometric identifiers, including finger print, retina and voice prints; full face images and any other comparable identifies.
How do you prepare for THE audit? It is important to be prepared. You can accomplish this by taking the following steps and measures:
1) Provide the Notice of Privacy Practice with the appropriate changes to the patients. Maintain a log of any disclosure requests and results. Ensure that you have a process for tracking the requested disclosures in your EHR.
2) Have written and signed business associate agreements with all entities considered a business associate. Maintain a log of all the business associate agreements, including information on when it was updated.
3) Conduct regularly scheduled thorough assessments of the risk to electronic protected health information (ePHI). Document this schedule.
4) Implement required technical and administrative safeguards to protect ePHI. Document action plans and staff training.
5) Have regularly scheduled training for all employees, document topics covered, log employees attending and require their signature with a date.
6) Update or develop formal policies and procedures for the Privacy and Security of PHI and ePHI to reflect the changes resulting in The Final Rule.
7) Maintain all documentation pertaining to policies, procedures, training, violations, breach analyses and updates. Make sure that all documentation is dated.
It is no longer the case of IF you will be audited, but WHEN. If you have not already started to develop your policies, procedures or updating your existing policies, you will have 30 to 90 days after you are notified by OCR of the pending audit until their anticipated on-site visit.