2013 HIPAA Changes and Their Impact

In 2013, the HIPAA Omnibus Rule was finalized, making significant changes to the Health Insurance Portability and Accountability Act.

The new rule expanded the definition of business associates to include entities that create, receive, or transmit PHI on behalf of covered entities.

Covered entities were required to update their business associate agreements to include the new standards for safeguarding PHI.

The rule also introduced new requirements for breach notification, including the need for covered entities to notify affected individuals and the HHS Secretary within 60 days of a breach.

Covered entities were required to provide individuals with a notice of privacy practices, which must include information about how their PHI will be used and disclosed.

Suggestion: Change Made to Hipaa by the Omnibus Rule of 2013

The Omnibus Rule, passed in 2013, brought significant changes to HIPAA. This rule was in response to The Health Information Technology for Economic and Clinical Health (HITECH) Act.

The Omnibus Rule updated the Breach Notification Rule, requiring organizations to report breaches where there was a significant potential of harm to over 500 people. Any unauthorized use or sharing of protected health information should now be presumed to be a breach.

Increased limitations were placed on sharing protected health information (PHI). PHI is no longer allowed to be sold to anyone without direct, written permission from the patient.

The Omnibus Rule gave more rights for individuals to access their own ePHI. Individuals now have the right to restrict certain disclosures of PHI to health plans and to request access to electronic PHI (ePHI).

The tiered penalties against organizations that violate HIPAA and HITECH were updated and the extent of enforcement was increased.

The Omnibus Rule requires changes to and redistribution of each covered entity's notice of privacy practices (NPPs).

Here are the key changes to the Breach Notification Rule:

Under the new breach notification rules, a covered entity or business associate must report any use or disclosure of protected health information (PHI) that is not permitted by the Privacy Rule.

The harm threshold has been eliminated, meaning that even if a breach doesn't pose a significant risk of harm, it's still considered a reportable breach if it's not permitted by the Privacy Rule.

Curious to learn more? Check out: Hipaa Privacy Rights

Covered entities and business associates can avoid this by conducting a risk analysis using the four factors published by HHS in the rule.

HHS has made it clear that impermissible uses and disclosures of PHI will likely be a reportable breach, which will result in an increase in the number of breaches reported.

This change affects how covered entities and business associates handle PHI and will likely lead to more frequent breach notifications.

The Omnibus Rule made business associates directly liable for their own compliance with HIPAA.

This change was first mentioned in the HITECH Act, but the Omnibus Rule took it to the next level by enforcing these regulatory requirements.

Business associates can now be audited and/or fined directly for noncompliance by the Department of Health and Human Services, or Office of Civil Rights.

The Office for Civil Rights (OCR) is responsible for enforcing the expectations of the Omnibus Rule.

Business associates are now bound to HIPAA mandates, the same as their Covered Entity clients.

This means that business associates can no longer hide behind their clients and must take responsibility for their own compliance.

Take a look at this: How Much Does Hipaa Cost

HIPAA security involves administrative, physical, and technical safeguards to protect electronic PHI.

In 2003, the HIPAA Security Standards Final Rule was issued, prompting the healthcare industry to enact these necessary safeguards.

Administrative safeguards include policies and procedures for handling PHI, as well as training for employees.

Physical safeguards involve controlling access to PHI, such as using locks and secure storage.

Technical safeguards include encryption and secure transmission of PHI.

The Omnibus Final Rule Finalized in 2011 included major updates to HIPAA, including additional provisions of HITECH, which aimed to improve data security.

The Omnibus Final Rule issued in 2013 added changes to improve data security, further restrict access to ePHI, and prevent the use of PHI for marketing.

A different take: Hipaa Security Services