HIPAA omnibus final rule—it's time to brush up on the basics

With the release of the Health Insurance Portability and Accountability Act (HIPAA) omnibus rule, it's time to take a fresh new look at office policies, procedures and practices.

With the release of the Health Insurance Portability and Accountability Act (HIPAA) omnibus rule on Jan. 17, it's time to take a fresh new look at your office's policies, procedures and practices.

In the new rule, the Centers for Medicare and Medicaid Services (CMS) clarifies and provides new guidance on several provisions related to the Health Information Technology for Economic and Clinical Health Act (HITECH), privacy, security, breach notification and enforcement. The changes are not major but are widespread and significant enough that you will need to modify your forms and processes. In many ways, CMS is clearing up some unanswered questions and tying up some loose ends.

The compliance date for these new provisions is Sept. 23. Here is a summary of the changes and how they might affect your office.

Access to records. Patients have the right to receive a copy of their electronic records. You will need to work with your vendor so that you can easily copy the necessary records onto a CD or other storage device. It is important to know what you can and cannot include in that record. For instance, outside records would not be included. Practices will need to revise their policies and procedures to verify such requests.

Business associates. The individuals and entities that are your business associates, as well as their downstream subcontractors, are now required to comply with certain aspects of HIPAA privacy, security, and breach notification. This means that practice management systems, electronic health records and e-prescribing vendors, clearinghouses, and patient safety organizations are directly liable for HIPAA compliance.

For example, business associates must notify covered entities of a breach of unsecured personal health information within a specified time frame. Business associates must provide the covered entity or the individual access to an electronic copy of personal health information. Practices will need to modify business associate agreements accordingly.

Notice of Privacy Practices. Covered entities are required to provide revised notices to all patients. This may be done by offering patients a copy of the new notice by posting it in a prominent location in the office and on the practice's website. There are new limits on uses and disclosures of personal health information for marketing and fundraising. The opt-out for fund - raising has also been strengthened. If you provide any products or services that are paid for by third parties, such as equipment vendors or pharmaceutical companies, authorization is required. If your parent health system markets to your patients or raises funds from them, then the new rules may also apply. Patients must be given information on how to opt out of such communications. Your Notice of Privacy Practices will need to reflect this change.

Research. Research authorizations can now be compound, which means that they can include future uses of data for research. But any unconditioned research authorizations must be opt-in. Your notice of privacy practices and authorization forms will need to be modified accordingly if these rules apply to your practice.

Genetic information. Genetic information has been defined as health information, thus it cannot be disclosed, including for underwriting purposes. This may not affect most private practices except for requests from insurance companies. Practices need to be aware of and check on state rules before releasing genetic information.

Breach notification. The breach notification rules have also been clarified. The risk assessment in the final rule requires consideration of the nature and extent of the personal health information disclosed, the unauthorized individual who received the personal health information, whether the personal health information was actually used or viewed, and the extent to which the risk of disclosure has been mitigated.

The covered entity can provide the required notifications without performing a risk assessment. Also, no breach notification is required if the personal health information is encrypted. Practices will need to review and revise relevant breach notification policies and procedures.

Use and disclosure of personal health information. Patients who pay cash for their services may request and be granted a restriction on disclosing information regarding those services. In other words, if the insurer requests information about the patient, services paid for in cash would be excluded from the data set. Practices will need to review and revise policies and procedures and work with their vendors to determine how to exclude certain services from the data set.

These are only a few of the changes and clarifications made in the omnibus rule. For more information and specifics; a checklist of tools, forms, and policies that will need modification as a result of these clarifications; and newly revised tools and resources, go to ACP's HIPAA resource page.