Guest post by Scott Parker, Cure MD.
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities.”These entities generally include healthcare clearinghouses, employer sponsored health plans, health insurers, and healthcare providers.
PHI is any information held by a covered entity concerning the health status, provision of healthcare, or payment for healthcare that can be linked to an individual.
Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.
Disclosures of PHI require the covered entity to obtain written authorization from the individual. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals.
Omnibus Rule and its implications
Before the Omnibus Rule, covered entities were responsible for reporting data breaches to the department of Health and Human Services (HHS). Covered entities were also required to contractually obligate their business associates (including EHR vendors and their subcontractors) to safeguard any PHI they handled. Business associates were under no obligation to report data breaches to anyone else except the covered entities. With the new HIPAA Omnibus Rule, there have been a few important changes.
Compliance means more than signing business associate agreements. Business associates are now required to implement HIPAA-specific policies and procedures, have a HIPAA risk analysis, train their workforce, and deliver and document HIPAA-compliant services.
Business Associates are now also required to directly report any PHI data breaches to the HHS. They are also required to abide by the same rules which apply to covered entities and to be held liable to the same penalties.
For EHR vendors, this means they will have to ensure stricter data protection in their software. One cost-effective and practical option available to data centers and cloud providers is to make a select part of the business HIPAA compliant and institute strict procedures to ensure that the receipt, maintenance or transmission of PHI occurs only in the particular part of the system.
The HIPAA Omnibus Rule does not change meaningful use requirements, but combined, the two may drive more healthcare providers to protect patient data, according to privacy and security experts. For providers looking to benefit from federal incentives under meaningful use, the Omnibus Rule does not change much because they were already bound to institute privacy of patient records in their workflows through the use of certified EHR vendors. However, following this rule, these privacy rules have been made universal such that they encompass all vendors and providers, whether or not they are looking for meaningful use incentives.