February 18, 2013
(This post is the first in a series of six that will examine the federal “Omnibus” HIPAA Rule, released January 18, and effective March 26. All covered entities and business associates must be in compliance by September 23, 2013.)
HIPAA privacy and security regulations have been with us for almost 13 years, and subjected to many refinements and updates. During the same period, new federal rules have evolved with provisions that paralleled, expanded on, or otherwise interacted with HIPAA.
So, pulling together a new “omnibus” Rule intended to clean up a rather complicated mess makes sense.The Department of Health and Human Services has done just that, by combining features of four existing component rules. It also has taken this new rule-making opportunity to expand HIPAA’s reach and strengthen HHS powers.
The HIPAA Clean Up: First, here is how HHS has effectively combined HIPAA with four other federal rules. The new omnibus rule includes:
The Expansion of HIPAA: Many healthcare professionals still don’t understand that the omnibus HIPAA Rule is not just 563 pages of regulatory reorganization. The Rule, in fact presents extensive revisions in HIPAA privacy and security requirements that are major and far-reaching. The text of the lengthy document is necessarily complex, given its regulatory intentions, but it is possible to identify at least three broad themes embodied in the new rule:
• HHS gives patients and their rights central priority, within its long-term vision of an integrated health care environment where HITECH’s “Meaningful Use / MIPS” of electronic health records will be fully realized.
• On the other hand, the obligations of covered entities under HIPAA have expanded. In a dramatic turnabout, business associates and their sub-contractors are now subject to many of these obligations, including paying penalties.
• HHS has assumed greater reach in enforcement powers and overall authority. It has reduced the level of regulated entities’ discretion in identifying breaches and has amplified breach notification requirements.
Part 2 of this series will delve into the major impacts of the Omnibus HIPAA Rule. Stay tuned. In Part 3 and beyond, we’ll cover specifics of all major changes in HIPAA Privacy and Security requirements.