The final regulations from the Department of Health and Human Services Office for the Office of Civil Rights (OCR) contain significant changes to the Health Insurance Portability and Accountability Act (HIPAA) involving privacy, security, enforcement, and breach notification rules.
The new regulations, called the Omnibus Rule, significantly affect covered entities (your practice), business associates, and downstream entities of business associates.
The omnibus rule has streamlined authorization requirements for the use of individuals' protected health information (PHI) for research purposes. It also set new limits on permissible uses of information for marketing and fund raising purposes and also sets new prohibitions on the sale of individuals' Protected Health Information (PHI) without their permission. Penalties have been increased for noncompliance.
The final regulations went into effect on March 26, 2013 and your practice has until September 23rd to comply.
No Mercy for Business Associates
A business associate is a person or entity that performs a function or activity on behalf of your practice involving the use and/or disclosure of PHI, but is NOT a part of your workforce. The following are examples of business associates:
- Billing Service/Agency
- Collection Agency
- Accountant/Attorney/Other Consultant Who Needs Access To PHI
- Answering Service
- Lockbox Service
- Transcription Service
- Practice Management Software Vendor
- Electronic Medical Records Software Vendor
- Hardware Maintenance Service
- Off-Site Record Storage
- Other Independent Contractors Who Provide Business/Administrative Services On-Site
Under the omnibus rule, ss opposed to previous HIPAA rules, your business associates now have direct liability under HIPAA and must comply with the security rule and certain provisions of the privacy rule. Business associate subcontractors (vendors of business associates) have identical compliance obligations, no matter how far removed or how "downstream" their services are from a covered entity.
There is a business associate exception for "conduits" of PHI. The exception is limited to organizations that merely transmit PHI. An example is the United States Postal Service which is merely a conduit through which PHI flows. Organizations that store PHI, such as cloud vendors, are considered business associates even if they do not access PHI.
You must update your existing business associate agreements for compliance with the revisions in the omnibus rule. Your practice can continue to operate under your existing business associate agreements until September 23, 2014 (one year after the date required for compliance with the omnibus rule).
Dramatic Changes to Marketing and Fund Raising
The omnibus rule now requires that prior to sending any marketing materials to an individual relating to a product or service paid for by a third party, your practice must obtain the individual's authorization to receive the communication.
Marketing communications are permitted without an authorization for "health care operations" communications, face-to-face communications and gifts of nominal value. For example, subsidized face-to-face communications and subsidized communications regarding a drug or biologic currently being prescribed to an individual and refill reminders are permissible without authorization.
The omnibus rule was clear that within the scope of this exception are communications about generic equivalents and adherence types of communications. Third-party payments for purposes other than communications to a patient, such as third-party funded disease management programs, do not require authorization, provided that the communication encourages participation in the program and not the use of the sponsor's particular product or service.
The omnibus rule contains provisions that will permit broader fund raising communications. The original HIPAA privacy rule permitted only the use of demographic information and dates of care for fund raising purposes. The omnibus rule permits the use of demographic information, dates of service, department of service, treating physician, outcome information and health insurance status for fund raising purposes by fund raising entities and their business associates. There are still notice and opt-out requirements for fund raising communications, which must be included in the Notice of Privacy Practices provided to an individual. Whether the opt-out provision is campaign-specific or allows for the individual to opt out of all fund raising communications is at your own discretion.