D'Arcy Gue


Omnibus HIPAA Summary | Part Two of Our Omnibus HIPAA Series

March 2, 2013


HIPAA & Security 2 Minute Read

(This post is the second in a series of six that will examine the federal “Omnibus” HIPAA Rule, released January 18, and effective March 26. All covered entities and business associates must be in compliance by September 23, 2013.)

In Part 1 of this series, I provided a context for understanding the reasons for yet another HIPAA rule, particularly one that is prefaced with the word “omnibus.” I also offered my analysis of the far-reaching themes running through the Department of Health and Human Services ‘ new Rule. These can be boiled down to five words: expanded impact; expanded HHS powers.

Following is an Omnibus HIPAA summary and a list of the major changes presented in the new rule. In the posts to come, I will be digging into each of these, including discussing some real-world implications for covered entities, particularly healthcare providers and their business associates.

  • New, tougher breach definitions and more complex notification provisions. These are bound to increase the incidence of privacy and security breaches.
  • Increased patient access to and control of protected health information (PHI) in many areas, including all  systems that touch PHI.  Most notably, patients must be granted access to their PHI in electronic form if the healthcare provider maintains it electronically.
  • Changes in the use of personal health information for research, marketing, fundraising, and sale. In general, these changes should benefit covered entities.
  • Extensive changes in business associates management, with added BA liability and new BA agreements that will extend to sub-contractors of business associates.
  • New inclusion of genetic information as PHI.
  • Required changes in all Notices of Privacy Practices.
  • Stronger and broader enforcement powers of the Department of Health and Human Services, with penalties for violations even when there has been no significant risk of harm to an individual.

In Part 3, I attempt to weed through the convoluted new requirements surrounding business associates and their sub-contractors. These new provisions are not just complex; they presage perhaps the greatest amount of work that covered entities will have to do between now and the compliance deadline of September 23, 2013.



Related Posts