- We strive to provide complete care for our patients. Learn more about all the services we provide.
You are using an outdated browser. Please upgrade your browser to improve your experience.
HIPAA OMNIBUS RULE:
NEW CHANGES TO HIPAA PRIVACY PRACTICES AND SECURITY RULES
The following summary provides an overview of the steps providers will need to take in each of these areas to meet the new requirements under the HIPAA Omnibus Rule.
Breach Notification Policies and Procedures
The HIPAA Omnibus Rule lowers the standard for breach notification. Under the previous rule, breaches were not required to be reported to the Department of Health and Human Services (“HHS”) unless they posed a “significant risk of reputational, financial or other harm” to individuals. The new standard presumes that a reportable breach has occurred unless the covered entity or business associate, through the use of a multi-factor risk assessment, determines that there is a low probability that the protected health information (“PHI”) has been compromised by the unauthorized use or disclosure.
To demonstrate that there is a low probability that a breach compromised PHI, a provider must perform a risk assessment that addresses the following minimum standards:
A provider must be able to quickly perform a risk assessment that will: (1) review a potential breach; (2) identify whether it is reportable and how to mitigate the harm; and (3) remediate the problem. Providers should revise their breach notification policies and procedures prior to September 23, 2013 to reflect this new breach analysis process.
Notice of Privacy Practices
As a result of the changes in the HIPAA Omnibus Rule, providers will be required to revise their Notice of Privacy Practices and post their NPP in a clear and prominent location. If the provider maintains a website, the NPP also must be posted there. NPPs now must include the following provisions:
The HIPAA Omnibus Rule also eliminates requirements to include information in NPPs concerning appointment reminders, treatment alternatives, and health-related benefits or services, but the rule does not require that such information be removed either.
Business Associate Agreements
The definition of the term “business associate” has been expanded to include: health information organizations, personal health vendors, subcontractors of the business associate, and individuals or entities that create, receive, maintain, or transmit PHI for a covered entity. It is significant that this definition now includes subcontractors of business associates and entities that maintain PHI. By adding this language, HHS clarified that you can have a “business associate of a business associate” and that business associates who use subcontractors for functions involving PHI will need to enter into business agreements with those subcontractors. Further, based on the addition of the word “maintain” to the definition, covered entities should require off-site records storage facilities or cloud storage providers, who maintain PHI, to sign business associate agreements.
The OCR has published a form business associate agreement on its website, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html, incorporating the new HIPAA Omnibus Rule. A sample business associate agreement is also attached to this memo. Providers should compare their existing templates to these new forms, or adopt one of the forms as their new agreement. Business associates should require applicable subcontractors to sign business associate agreements that track the new form and in addition to addressing the terms of the business associate agreement with the covered entity.
Liability for Business Associates
One of the important clarifications under the HIPAA Omnibus Rule relates to covered entities’ liability for the conduct of their business associates. Prior to the promulgation of the HIPAA Omnibus Rule, it was unclear whether covered entities could be held liable for their business associates’ HIPAA violations if the covered entity had an appropriate business associate agreement in place and took reasonable steps to address breaches. The HIPAA Omnibus Rule clarified that a covered entity can indeed be held liable for the acts or omissions of its business associates that are acting as the covered entity’s “agent,” as determined under the federal common law of agency. This agent liability also extends to a business associate for the actions or omissions of its subcontractors.
Whether an agency relationship exists under federal common is a fact specific inquiry. While there are many factors to consider, HHS has indicated that the essential factor in determining whether an agency relationship exists is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. Ultimately, the more discretion and independence the business associate has in performing functions for the covered entity, the less likely it is that an agency relationship exists.
HIPAA Privacy Policies and Procedures
Providers must update privacy policies and procedures to address changes made by the HIPAA Omnibus Rule in the following areas:
New patients receive FREE class IV therapeutic laser treatment.
|Monday||9am - 12pm||2:30pm - 6pm|
|Tuesday||9am - 12pm||2:30pm - 6pm|
|Wednesday||9am - 12pm||2:30pm - 6pm|
|Thursday||9am - 12pm||2:30pm - 6pm|
|Friday||9am - 12pm||Closed|
|9am - 12pm||9am - 12pm||9am - 12pm||9am - 12pm||9am - 12pm||Closed||Closed|
|2:30pm - 6pm||2:30pm - 6pm||2:30pm - 6pm||2:30pm - 6pm||Closed||Closed||Closed|
I have never had anything but excellent service each visit. Dr. Eric takes his time with each client and is very thorough. He always has suggestions to follow to have a healthier lifestyle.