The Omnibus Rule Includes Requirements for Business Associates
The Department of Health and Human Services (HHS) published its final Omnibus Rule on January 2013, enhancing HIPAA and its primary goal of establishing privacy for healthcare patients. Among the requirements added in the Omnibus Rule is the inclusion of business associates. Before this time, only covered entities were required to abide by the Security Rule and Breach Notification sections of the HITECH Act. But with the Omnibus Rule, both covered entities and business associates must follow these sections.
The Security Rule Only Affects Electronic Protected Health Information
Unlike the Privacy Rule which affects both electronic and paper forms of Protected Health Information (PHI), the Security Rule only affects electronic PHI (known as EPHI). It requires doctors and covered entities to implement meaningful and “appropriate” administrative, physical and technical safeguards to protect against the unauthorized disclosure of EPHI.
Doctors Must Use a Single National Provider Identifier
In 2006, HIPAA was updated to require all doctors and covered entities to use a single National Provider Identifier (NPI), assuming they use electronic communications. Consisting of 10 digits, it replaces all other identifiers used by health plans.
Private Practices Have Most Violations
Small, private healthcare practices have the most HIPAA violations, according to the HHS. This is likely due to the fact that many small practices are unfamiliar with HIPAA. Coming in second is hospitals; outpatient facilities in third; group insurance plans in fourth; and pharmacies in fifth.
Misuse and Disclosure of PHI is Most Frequent HIPAA Violation
According to the HHS website, the single most common HIPAA violation is the misuse and disclosure of PHI. Doctors should approach PHI with caution, taking the appropriate measures to maintain the patient's confidentiality without violating HIPAA and its respective rules. The HHS listed “no protection in place of health information” as being the second most frequently reported HIPAA violation, attesting to the need for stronger security and privacy policies.
Doctors May Report Child Abuse Without Authorization
It's a common assumption that the HIPAA Privacy Rule prevents doctors and other covered entities from reporting cases of child abuse to the local authorities. In most cases, doctors must obtain their patients' consent before disclosing PHI. But there are exceptions, one of which is cases involving what is presumed to be child abuse.
“A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse,” explained the HHS on its website.