The Omnibus Rule arrives

Welcome to 2013. We survived the Mayan curse and avoided the dreaded fiscal cliff (well mostly), so the Office for Civil Rights (OCR) not wanting to disappoint finally released the Omnibus Rule. Just when we thought we had slipped by…Actually, it was to be expected.

The Omnibus Rule released Jan. 17, 2013 will have an impact on both covered entities and business associates. Organizations will have to be compliant with these new requirements by Sept. 23, 2013. This gives everyone just eight months to bring current policies and controls into alignment with the new requirements. The highlights of the new rule follow briefly.

First up, business associates and their subcontractors are now officially liable directly for certain requirements of the HIPAA Privacy and Security Rules, whether a formal agreement exists or not, which means OCR will now investigate them directly for breaches they cause and they will be incorporated into the Random Audit Program. The Audit Program is expected to resume sometime later this year.

The “harm” standard associated with the Breach Notification Rule has been redefined to provide more specifics around assessing harm. The original rule requires notification if disclosure poses a “significant risk” of financial, reputational or other harm to the individuals involved. The revised rule requires entities to demonstrate “a low probability” of the information being compromised.

The civil monetary penalties that were increased under the provisions of HITECH are included in the final rule as expected. These changes increased the fines that could be exposed from $100 and $25,000 to $50,000 and $1,500,000, respectively, and provided additional guidance for OCR when assessing penalties including consideration for the number of individuals involved or records exposed and criteria for reputational harm.

The new rule also strengthens and simplifies privacy protections and use and disclosure provisions. It affects the sale and marketing of PHI, uses and disclosures by covered entities and makes it easier for patients to request their records and to restrict disclosures.

Covered entities will have to accomplish several things over the next few months to be ready come September. What do you need to be doing now?

  • Familiarize yourself with the provisions of the rule and its requirements.
  • Revise and update Notice of Privacy Practices.
  • Revise and update various policies and procedures.
  • Revise incident response processes.
  • Review all business associate agreements.
  • Train workforce members on the new rules.