Although the HIPAA Omnibus rule was implemented on March 26th, 2013, businesses everywhere were given roughly 6 months to comply with the new standards. Fast forward 180 days and as it would appear the deadline has passed four days ago, on September 23rd. This means that if you are the member of a company or business in the healthcare industry (or have direct relation to it), and are somehow hearing about this for the first time through me (you’re welcome), it’s probably time to become compliant. Otherwise, you may begin to see heavy fines coming your way in the not-so-distant future.
Now, I realize perfectly well that real-life implementation of the various new sets of regulations and standards outlined in the table-breaking 563 page document that the Department of Health and Human Services put out can be a daunting task. So, to help begin with the understanding process if you’re an Omnibus Newbie, or to reinforce what you may already know if you’re a HIPPA buff/enthusiast, I have briefly listed below what I believe to be three important changes:
1. Business Associates Must Also Be HIPAA Compliant
They say that it takes two to tango. Although this phrase only somewhat bears relevance to the matter at hand, it represents the fact that the government now expects healthcare providers to work with other companies to help safeguard data. Under the Omnibus rule, these other outside “storage companies” or “business associates” are also required to be HIPAA compliant. Now, “What defines a company as a business associate?” you may ask. Well, according to the official document, a business associate is defined as one who, “creates, receives, maintains, or transmits protected health information on behalf of a covered entity.” So, it’s very important to make sure the company that houses your documents, whether they be digital or tangible, is also up to code. Having your classified patient files show up on an episode of “Storage Wars” would probably be a very bad thing for business.
2. Changes to the HIPAA Privacy Rule
Although there are numerous changes to the privacy rule (way too many to talk about here while trying to maintain your interest) there were a few that caught my eye. Omnibus has taken the liberty to add some specifications as to when authorization is required from a patient for disclosure of information and when said authorization is not required. Most all disclosures of psychotherapy notes, information for marketing purposes, and sale of protected information require the thumbs up from the patient. Although I won’t list them all, some of the notable exceptions to the authorization rule include, “sale, transfer, merger or consolidation of all or part of a covered entity,” and always being able to provide, “an individual with access to his/her Protected Health Information.” In addition, our deceased loved ones now have HIPAA protection for up to 50 years after their death and we, as family members, will always be able to have access to their medical information.
3. A Tiered Structure For Handing Out Fines
To take away from the ambiguity of the old system and add peace of mind to the companies that fail to comply as to what they will likely be paying to good old Uncle Sam if caught; a new, tiered fine system has been implemented. Starting off, a company or business that fails to comply with HIPAA rules could be the subject of minimum penalties of $100 per violation. This number could jump as high as $25,000 for identical violations that occur during a calendar year. Privacy breaches can be the victim of a penalty of up to $1.5 million.
Obviously this is a very brief overview of select parts taken from the HIPAA Omnibus Rule. If you would like to find out some more information, I encourage you to read the official document which can be found here. If you’re still looking to become compliant or will be doing so in the future, luckily we can help!
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Nate is a Marketing Manager at STEALTHbits and has worked in the IT Security industry for 5 years.