The HIPAA Omnibus Rule, also known as the HIPAA Final Rule, was added to the Federal Register in 2013. It doesn’t cover one specific area of regulations but rather updates and clarifies existing rules.
The driving force behind its creation was the passage of the HITECH Act of 2009, which updated HIPAA for a rapidly changing technological environment. The rule takes other legislation into account as well, and some of its changes reflect HHS’s experience with applying the earlier HIPAA rules.
The changes are extensive and detailed. Any organization that qualifies as a Covered Entity or Business Associate needs to be aware of its updated requirements. Likewise, any organization that handles protected health information (PHI) should also check it, as it changes the criteria for who falls under those categories.
The Omnibus Rule has been in effect for over seven years. Current sources of information take it into account, but guides to HIPAA that have not been recently updated could be incomplete and misleading. So here’s what you need to know.
Overview of the Omnibus Rule
Unlike most other HIPAA rules, such as the Privacy and Security Rules, the Omnibus Rule can’t be considered by itself. It is a compendium of revisions that affect the meaning, scope, and interpretation of the other rules. It has four major sections, the final versions of earlier Interim Final Rules.
- Modifications to the Privacy, Security, and Enforcement Rules. The changes are mostly based on statutory requirements in the HITECH Act. Notable changes include increasing the liability of Business Associates, placing stricter restrictions on marketing uses of PHI, and in some cases, simplifying access to information.
- Changing and generally increasing the monetary civil penalties that can be applied to violations.
- Revising the requirements for breach notification with a more objective, multi-part standard.
- Updating the Privacy Rule to include genetic information in PHI and prohibit its use in the underwriting process of health plans.
Significant changes to earlier rules
Organizations that handle PHI must consider the Omnibus Rule in determining whether they count as Business Associates. A Business Associate is not just an organization that processes PHI directly for a Covered Entity but also subcontractors of such organizations, their subcontractors, and so on. A Covered Entity requires a chain of assurance covering its direct BAs and everyone down the contractor chain whose role qualifies them as BAs. Organizations that act only as conduits for information are exempt, but the Omnibus Rule narrows the definition of a conduit.
The Omnibus Rule creates an exception to the definition of PHI. The Privacy and Security Rules do not apply to the health information of people who died more than 50 years earlier, which eases the handling of archival information.
The Enforcement Rule significantly differs from the earlier version, largely because of the HITECH Act. The minimum penalties were increased, with a cap of $1.5 million for any number of violations of an identical provision. Business associates are directly liable to the government for certain violations. The rule defines four tiers of violation:
1. Unknowing.
The CE or BA did not know and could not have reasonably known about the violation.
2. Reasonable cause.
The organization knew or could reasonably have discovered the violation but wasn’t willfully negligent.
3. Willful negligence, corrected.
The violation resulted from conscious intention or reckless indifference to HIPAA rules, but it was corrected within 30 days of discovery.
4. Willful neglect, uncorrected.
A case of willful neglect that was not remedied within 30 days of being discovered.
A change to the privacy rule reflects the Genetic Information Nondiscrimination Act (GINA) of 2008. They consider genetic information, including the results of genetic testing or related counseling, as PHI (Protected Health Information). They cannot disclose it for use in underwriting HIPAA-covered health plans.
Other changes in the privacy rule ease the release of information in certain cases. For example, a written form is no longer required when a parent permits to release a child’s immunization information.
The criteria for triggering a breach notification replaces an earlier rule based on “harm to an individual.” A four-factor test now applies, with the hope of providing a more objective standard.
Compliance with the Omnibus Rule
Anyone looking through the rule on the Federal Register will see that it is complex and often difficult to understand. Any organization handling PHI should retain a lawyer for advice on HIPAA compliance. To make the best use of legal advice, though, management should understand enough about the rules to know what questions to ask.
Anyone handling personal health information regularly should check if they count as Covered Entities or Business Associates. They should also review their practices to identify ones likely to be covered by HIPAA. They should remember important issues like processing or retention of genetic information, as well as the use of anyone’s personal health information for marketing.
If deemed willful, a violation can cost millions of dollars. It’s better to make sure all policies and practices are acceptable under HIPAA than to risk a costly investigation.
Contact us to learn how we can help you with ensuring HIPAA compliance.