Two Essentials for HIPAA Omnibus Final Rule Compliance

Sept. 23, 2013, is the date by which all covered entities and business associates must comply with the HIPAA Omnibus Final Rule (Omnibus Rule). It contains the most significant changes to the HIPAA Privacy and Security rules since their inception, and it strengthens the ability of the Office for Civil Rights (OCR) to enforce the rules and levy fines.

The Omnibus Rule is a composite of four closely related final rules. Its primary purpose is to implement Health Information Technology for Economic and Clinical Health Act mandates.  The act is part of the American Recovery and Reinvestment Act of 2009, and provided for the EHR adoption and meaningful use incentives.

The entire rule deserves careful attention, but required changes to business associate (BA) agreements and Notices of Privacy Practices (NPPs) are especially conspicuous and time-sensitive.

Business Associate Agreements
A BA is any entity or individual that "creates, receives, maintains or transmits" protected health information (PHI) for a covered entity.  The Omnibus Rule expands the definition of BA to explicitly include Patient Safety Organizations, e-prescribing gateways, health information exchanges, personal health record vendors engaged by physicians for their patients, and physical or electronic data storage providers.  (There is a narrow exception for entities that simply transport data, and whose temporary storage of that data is strictly for the purpose of transporting it. Examples include the U.S. Postal Service and internet service providers.)

A medical practice must review its relationship with each of its vendors not currently recognized as a BA to identify if that vendor meets the expanded definition.  

Under the Omnibus Rule, BAs are independently responsible to the OCR to comply with HIPAA privacy, security and breach notification rules and are subject to OCR-levied fines.  Practices are no longer responsible for HIPAA infractions committed by their agent BAs.

As of Sept. 23, 2013, each BA must be operating under a written agreement with the practice that includes BA language compliant with provisions in effect as of the date of execution.  Agreements entered into before Jan. 25, 2013, and not renewed or modified between March 26, 2013, and Sept. 23, 2013, will be deemed to be compliant with HIPAA requirements until Sept. 22, 2014, unless they are renewed or modified before then. 

Agreements entered into on or after Jan. 25, 2013, must comply with the provisions of the Omnibus Rule.  Required modifications to the BA agreement include:
• Physicians are no longer obligated to report their BA's HIPAA violations to the OCR when termination of the relationship is not feasible or HHS deems the BA's direct liability for the violations is sufficient.
• BAs are responsible for the violations committed by their subcontractors.
• BAs must comply with the security and breach notification rules.
• The practice is liable for the actions of BAs who are agents, but not for those of subcontractors.  (The distinction between an agent and subcontractor is not always clear, but it relates to the control the practice has over the BA's work.)

Guidance on what to include in a BA agreement is available here. 

Notice of Privacy Practices
Each practice's NPP must be updated by Sept. 23, 2013, to include the Omnibus Rule changes to the privacy and security rules. 

Specific amendments include those related to:
• Breach notification
• Disclosures to health plans
• Marketing and sale of protected health information (PHI)
• Fundraising, if applicable, including the patient's right to opt-out of fundraising communications.

The new NPP must:
• Include the date it is first in effect
• Be posted in the practice
• Be available on paper to any new patients and anyone who requests a copy
• Be posted on the practice website

Previous requirements to include information on communication regarding appointment reminders, treatment alternatives, or health benefits or services have been eliminated.  That is, the information may be eliminated from the NPP, but it is not required to be.

Updated BA agreements and Notices of Privacy Practices are critical elements of compliance with the Omnibus Rule.  There is also no gray area or room for argument in determining the practice's timely compliance with the rule as it relates to these two documents.