With the HIPAA Omnibus rule compliance deadline set for September 23rd this year, it’s time to accelerate compliance and security measures and make sure you leave no avenue for a breach. Industry experts and law firms have been providing valuable insights into the final rule and have been suggesting best practices for covered entities since the rule was announced on January 18th. While you’re busy preparing for the upcoming audits and working hard at achieving compliance, now’s the time to take a step back and consider these six legal tips for compliance, offered by Eileen Elliott, a partner in the Burlington, VT-based law firm Dunkiel, Saunders, Elliott, Raubvogel & Hand.
- Keep the 2009 HITECH Act in Mind. While most of the changes in the omnibus rule are not new, and already exist under various interim or proposed rules under HIPAA and HITECH Acts, the other interim and proposed rules include those incorporating the increased and tiered civil money structure, breach notification for unsecured protected health information, and the rule modifying the Genetic Information Nondiscrimination Act. So a good understanding of HITECH’s obligations about breach notification can make the new rule less daunting.
- Examine the enhanced requirements of breach notification. One of the major effects of the Omnibus rule is, strengthened breach reporting. Although the earlier rule required entities to report breaches only when they posed a ‘significant risk of reputational, financial, or other harm’, the final rule makes it mandatory to report any breach incident that stands the risk of ‘compromising’ public health information. This means a risk analysis is now required to determine whether PHI has been compromised.
- Understand the increased liability of business associates. Your business associates and subcontractors are now liable to comply with HIPAA requirements. The updated requirements include contracting ramifications, security rule compliance, use and disclosure requirements of the privacy rule, maintaining accounting disclosures and providing health and human services with PHI during review or audit.
- Be aware of HHS’ enhanced fining authority. Health and Human Services’ Office for Civil Rights can now fine any covered entity, including business associates, subcontractors, or any other party responsible for a violation. In such cases, monetary penalties will be tallied on a per person per day basis. The maximum annual cap of $1.5 million is applicable on a ‘per provision’ basis.
- Be informed of the extension of GINA requirements. It’s important that you revisit the definition of Genetic Information Nondiscrimination Act (GINA) because all plans that are subject to HIPAA are now subject to GINA too. You need to determine what is classified as this type of material as it is now forbidden from use for underwriting.
- Mark the date in your calendar. While the omnibus rule came to effect on March 26 this year, the compliance deadline is 23rd of September. However, in special cases for existing business associate agreements that comply with HITECH, a deferred compliance date is applicable. But all contracts must be compliant at the latest by September 22, 2014.
These apart, you may significantly benefit from using platforms such as Aegify Security Posture Management and Aegify SecureGRC which ensure complete security of PHI, while also helping you achieve and maintain compliance with the HIPAA Omnibus rule.