The HIPAA Omnibus Rule was created to address a variety of issues left unaddressed by earlier HIPAA amendments. Definitions were updated, processes and rules were clarified, and the HIPAA compliance checklist was extended to include Business Associates and their subcontractors.
Any individual or group which generates, receives, preserves or carries Protected Health Information in the course of executing tasks for a Covered Entity is classified as a Business Associate. Contractors, advisors, information storage firms, medical record organizations, and any subcontractors hired by Business Associates are all considered Business Associates.
In five essential areas, the Omnibus Rule modifies HIPAA regulations:
- The final modifications, as required by the HITECH Act, are introduced.
- Incorporation of the HITECH-mandated enhanced, tiered civil money penalty system.
- Changes to the damage limit were made, and the HITECH Act’s final regulation on Breach Notification for Unsecured ePHI was incorporated.
- HIPAA should be amended to include the requirements of the Genetic Information Nondiscrimination Act (GINA), which restrict the sharing of genetic data for underwriting purposes.
- PHI and personal identifiers were not used for advertising purposes.
The phrase Business Associate was also defined properly, the term Workforce was broadened to include workers, volunteers, and interns, and the definition of Protected Health Information (PHI) was revised.
Following the enactment of the HIPAA Omnibus Rule, Covered Entities must now comply with the following requirements in order to be HIPAA compliant:
- Revise Business Associate Agreements — To comply with the Omnibus Rule, old BA agreements must be revised. Business Associates must be informed that they are subject to the same Security Rule and Privacy Rule laws as covered businesses, and must adopt the same technological, physical, and administrative precautions to secure ePHI and personal identifiers. Business Associates must cooperate with patient information access requests, and data breaches must be disclosed to the Covered Entity as soon as possible, with help with breach notification processes provided as well.
- New Business Associate Agreements should be issued – Before using a Business Associate’s services, a new HIPAA-compliant agreement must be secured.
- Privacy laws should be amended — Privacy policies must be amended to reflect the new definitions in the Omnibus Rule. Amendments pertaining to dead individuals, patient access rights (to their PHI), and answers to access requests are among these. The additional constraints on disclosures to Healthcare and insurers, the sale of PHI, the disclosure of PHI and school vaccines, and its use for marketing, research, and fundraising should all be reflected in amendments.
- Revise Notices of Privacy Practices (NPPs) — NPPs must be amended to include the sorts of data that requires authorisation, as well as the opportunity to opt out of fundraising interactions and the new breach notification standards.
- Educate employees — The Omnibus Rule revisions and terminology changes must be explained to the employees. Every training session must be documented.