Is Your Practice Prepared for the New Omnibus Rule?
August 12, 2013
By: Julie Sheppard, BSN, JD, CHC
Enforcement of the HIPAA Final Omnibus Rule began September 23, 2013 greatly improving patients' privacy rights, changing requirements, and increasing penalties for all covered entities, including physician practices.
Provisions of the rule governing privacy, security, enforcement, and breach notification have all been modified. These changes require new approaches to several aspects of the operation of a practice and the relationships with business associates and subcontractors. A change in the rule regarding Breach Notification significantly impacts the procedures of a medical practice.
The Omnibus Rule now requires a "risk assessment" analysis. The former "risk of harm" approach presumed notification was not necessary unless risk of harm could be proven high enough to make it necessary to report to the individual. The new "risk assessment" analysis presumes a notification is necessary unless the practice can substantiate a low probability of compromise of information. The change in presumptions regarding need for notification is an important change for medical practices and requires new steps.
Under HITECH, the Office of Civil Rights (OCR) oversees periodic audits of covered entities and enforces HIPAA Privacy and Security Rules and Breach Notification standards. OCR provides four factors that need to be considered when documenting a risk assessment:
Nature and extent of PHI involved (think about whether it would be easy to re-identify an individual)
Unauthorized person who used the PHI or received the disclosure
Whether PHI was acquired or viewed
Extent to which risk to PHI is mitigated
Beyond the risk assessment analysis, a medical practice must develop and implement processes for notifying individuals, media, and the Secretary of Health and Human Services. Various instances of breach require different elements and methods of notification and a practice should be prepared to respond appropriately.
Julie Sheppard, BSN, JD, CHC is President and Founder of First Healthcare Compliance. Ms. Sheppard is an Adjunct Professor at Widener University School of Law, where she serves as the course instructor for Healthcare Compliance & Ethics. A nurse, an attorney, certified in Healthcare Compliance by the Compliance Certification Board, and a physician's spouse, Julie intersected her professional understanding of compliance issues with her personal motivations when establishing First Healthcare Compliance. First Healthcare Compliance (http://1sthcc.com/) addresses the challenges created by the recent compliance mandates of the Affordable Care Act (ACA) for healthcare providers, specifically those applying to physician practices, by developing a timely, comprehensive, and practical solution to meet the ongoing compliance needs of physician practices.