Burlington, Vt. (PRWEB) June 17, 2013
Earlier this year, the U.S. Department of Health and Human Services adopted tough standards to strengthen the privacy and security protections for health information under the Health Insurance Portability and Accountability Act (HIPAA) with the final Omnibus Rule. These modifications enhance patients’ protection of the privacy of their health records and provide them with new rights to their health information, while also supporting the government’s ability to enforce the law.
For healthcare providers, psychologists, social workers and other health professionals and entities, understanding and adhering to these changes is essential, but can oftentimes be confusing and tedious to keep up with. Eileen Elliott, partner in the Burlington law firm Dunkiel, Saunders, Elliott, Raubvogel & Hand, focuses on health care law and offers the following six tips to help healthcare providers navigate the new HIPAA rule.
1. Be familiar with the 2009 HITECH Act.
Most of the changes in the Omnibus Rule are not entirely new, and already exist under various proposed and interim rules under HIPAA and the HITECH Act. By understanding HITECH’s obligations regarding breach notification, the new rule will be less daunting.
The other interim or proposed rules folded into the Omnibus Rule include the HIPAA Privacy, Security and Enforcement Rules; rules incorporating the increased and tiered civil money structure; Breach Notification for Unsecured Protected Health Information; and the rule modifying the Genetic Information Nondiscrimination Act.
2. Go over the enhanced breached notification requirements.
Strengthened breach reporting is one of the major effects of the Omnibus Rule. While the prior rule stated that breaches were not reported unless they posed a “significant risk of reputational, financial or other harm” to individuals, the determination is now based on the risk that public health information (PHI) has been “compromised.” A risk analysis is now required to determine the probability that PHI has been compromised.
3. Understand the increased business associate liability.
Business associates, or entities that create, receive, maintain or transmit PHI, have new requirements that increase their liability and can now be directly liable for HIPAA noncompliance. The updated requirements include contracting ramifications, Security Rule Compliance, use and disclosure requirements of the Privacy Rule, providing copies of ePHI, maintaining accounting of disclosures and providing Health and Human Services (HHS) with PHI during review or audit.
4. Recognize Health and Human Services’ enhanced fining authority.
HHS may now fine any Covered Entity, Business Associate or responsible party for a violation and retains the authority to charge multiple violations related to a single event, such as a breach. Monetary penalties will be tallied on a per person and per day basis. It is important to recall that the maximum annual cap of $1.5 million is applied on a “per provision” basis. It is not an overall limitation on liability but can be multiplied several times over depending on the number of provisions violated.
5. Note the extension of GINA requirements.
All plans that are subject to HIPAA are now also subject to the Genetic Information Nondiscrimination Act (GINA). Revisit the definition of genetic information under the act to determine what is classified as this type of material as it is now forbidden to be used for underwriting.
6. Mark your calendar.
The Omnibus Rule became effective on March 26, 2013 and the compliance deadline is September 23 of this year. There is a deferred compliance date provided in special cases for existing business associate agreements that comply with HITECH, but at the latest all contracts must be compliant by September 22, 2014.
The full final rule can be read in Federal Register, which can be accessed here. To learn more about Dunkiel Saunders, please visit http://www.dunkielsaunders.com.
About Dunkiel Saunders
Dunkiel Saunders is a Burlington, VT based law firm that was founded with the mission to serve the public interest and improve the world around them. The practice focuses primarily on environmental, energy, health care, telecommunications, nonprofit and business law, as well as provides legal services in a range of other related practice areas like green marketing, renewable energy, intellectual property, agriculture and food producers, real estate and more.
Dunkiel Saunders is designed to help their clients make a difference. Each experienced attorney provides strategic advice to support leaders in businesses, nonprofits and government take meaningful action to achieve their goals. To learn more about Dunkiel Saunders, please visit http://www.dunkielsaunders.com.