The U.S. Department of Health and Human Services (HHS) published its 'Omnibus Rule' back on January 25, 2013, giving covered entities until September 23 of the same year to comply or be subject to penalties. While the new rule has been active for well over a year now, many physicians, chiropractors, dentists and other covered entities are unaware of its purpose.
The Omnibus Rule is essentially a modification of the existing Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules that introduces elements from the Health Information Technology for Economic and Clinical Health (HITECH) Act. To put the scope of the Omnibus Rule into perspective, the HHS's final rule was over 500 pages in length!
Technical jargon aside, the Omnibus Rule is designed to strengthen the privacy and security of patient data collected by covered entities. In addition to introducing new security measures, it also provides patients with new rights. Being that the Omnibus Rule consists of hundreds of pages, we won't be able to cover everything in this post. However, you can view the key points of the modification listed below.
Here are some of the key takeaways of the HIPAA Omnibus Rule:
- Business associates of covered entities can now be held liable if they fail to comply with HIPAA's Privacy and Security Rules.
- Places further limitations on the use of patient health information for marketing purposes.
- Prohibits the sale of patient health information without the patient's authorization.
- Introduces HITECH elements to the Enforcement Rule.
- Modifies the covered entity's notice of privacy practices.
- Enhances patient's rights tor receive copies of their protected health information in electronic format.
- Restricts disclosures to a health plan when the patient has paid out of pocket in full.
- Introduces a multi-tiered civil money penalty for HIPPA security breaches.
- Modifies the definition of a privacy breach.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,”said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”