HIPAA Demystified: What the heck is the Omnibus Rule, and Why Should I Care
On January 17, 2013 the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) announced the final rule (the "Omnibus Rule") that implements a number of provision of the HITECH Act to strengthen the privacy and security protections for protected health information previously established under HIPAA.
The Omnibus Rule greatly enhances a patient's privacy protections, provides new rights to access their PHI, and strengthens the government's ability to enhance and strengthen the government's ability to enforce the law. These changes bring HIPAA in line with the requirements of the HITECH Act, enhance patient privacy protections, and provide additional patient rights, strengthening the government's ability to enforce the law.
Few of the changes brought by the Omnibus Rule impact the day-to-day operations of most Covered Entities and their Business Associates. Other has enormous bearing on these operations. In this presentation, we will include a brief discussion of patient rights to access their PHI, the use of PHI for marketing,, and uses, disclosures, and dispatching the PHI of deceased individuals will also be .We will focus intensely on those topics that have impact the Covered Entity and Business Associate not only on a daily bases, but are those that have the greatest possibility of leading to fines and penalties.
There are 3 core areas where the Omnibus Rule presents challenges for both Covered Entities and Business Associates. These can be grouped as:
- New definitions of what constitutes a Business Associate, what their obligations are under HIPAA, and what additional liabilities BA's present for their CEs,
- New standards for the reporting and analyzing of breaches, and
- Changes in the penalties that will be assessed for HIPAA violations
In the context of these changes, the attendee will also learn about both the implications of Willful Neglect, and the effects of the new random audit program implemented by OCR. We will look at how the attendee is required, under the Omnibus Rule, to assess suspected breaches, working through an example. We will cover the implementation specifications to consider that will minimize the risk of penalties being imposed by OCR when conducting an audit or investigating a breach.
A year has gone by since the publication of the Final Omnibus Rules. During that time OCR has made clear, in its guidance, the importance in the areas addressed in the rules. While many of the parts of the rules do not affect the day to day operations of many CEs and BAs, those areas that do leave the entity who does not understand the nuances of these rules at a heightened risk for increased fines and penalties, along with tort liabilities.
Clearly an understanding of the Omnibus Rules and the implications of noncompliance is something you should care about.
Why should you attend:
The Final Omnibus Rule published in January 2013, which went into effect March 26, 2013, made a number of changes to HIPAA. The changes bring HIPAA in line with the requirements of the HITECH Act, enhance patient privacy protections, provide additional rights for patients, and strengthen the government's ability to enforce the law.
Few of the changes brought by the Omnibus Rule impact the day-to-day operations of most Covered Entities and their Business Associates. Other have enormous bearing on these operations. Consider the following:
- Covered Entities are now liable when their Business Associate, or the contractors their Business Associates hires, have a breach. Business Associates account for more than 30% of breaches of electronic protected health information.
- Reporting of breaches now requires the operation to determine the likelihood that a breach actually occurred, and the potential impact of the breach.
- Annual penalties and fines have been increased 25%, up to a maximum $1,500,000.
So what does that mean for you? Your risk of seeing the maximum fines of $1,500,000 has significantly increased. In addition, OCR has a newly launched random audit program, which received additional funding along with funds from the HITECH act; it now is retaining the fines and penalties collected from their investigations.
This gives HIPAA regulations some teeth. Not knowing of HIPAA regulatory changes and the Omnibus Rule changes is not an option. OCR has increased its focus on Willful Neglect, . Engaging in Willful Neglect, i.e. sticking your head in the sand, and ignoring these new rules, is the quickest way to seeing the increased fines and penalties. No more will organizations be able to argue they just were not aware on their obligations under HIPAA and specifically the Final Omnibus Rule. OCR is just not buying this argument anymore. Additionally, if you do have a breach, willful neglect penalties are higher if you have not tried to mitigate the breach. If you do not know the regulations, you cannot cure your breach, putting you in peril of higher fines.
The ramifications of unfamiliarity of the Omnibus Rules and the potential noncompliance because of ignorance of the rules can go far beyond the fines and penalties OCR may levy. You and your company may face potential tort liabilities significantly exceeding the fines and penalties that OCR may levy.
Remember that while the fines and penalties from OCR are capped, albeit at $1,500,000, tort liabilities are open ended, jury awards are not capped. Your best insurance against these types of losses is to be armed with current, accurate information about HIPAA and HITECH. It behooves you to create a "culture of compliance" in your organization, keeping protected health information confidential while avoiding the ramifications of a breach.
Areas Covered in the Session:
Who Will Benefit:
- What does an Omnibus Rule mean
- What are the modifications to the HIPAA Privacy Rules
- What are the modifications to the HIPAA Security Rules
- What are the modifications to the HIPAA Enforcement Rules
- Under what circumstances will the modifications to HIPAA affect me
- What changed in the definition of a Business Associate definition
- What changes to the Business Associate Agreement are required
- What are the additional liabilities Covered Entities now have from their Business Associates
- What steps can the Covered Entity take to protect themselves from this additional liability
- What in Willful Neglect
- What are the implications of being found engaging in Willful Neglect
- How can you be sure you won't be found as engaging in Willful Neglect
- What are the new requirements for breach notifications
- What are the new requirements to assess the risk associated with breach notifications
- Human Resources
- Chief Nursing Officer
- Chief Clinical Officer
- Practice Managers