This section will discuss HITECH and the Omnibus Rule which were the latest additions to HIPAA. HITECH expanded the reach of HIPAA and imposed new regulations and requirements for covered entities to follow. The video will discuss the last addition to HIPAA, the Omnibus Rule, which had a few pieces but most importantly held business associates liable for HIPAA violations.
Business Associate Agreements (BAA)
Now that we’ve introduced HIPAA and covered the Privacy and Security Rules, we’ll finish by talking about the most recent additions to HIPAA - the HITECH Act and the Omnibus Rule.
In 2009, Congress passed the American Recovery and Reinvestment Act, which included, in part, the Health Information Technology for Economic and Clinical Health Act, or HITECH for short. HITECH aimed to streamline health care and reduce costs through health care information technology. HITECH also marked a significant expansion in the reach of HIPAA and imposed new regulations and requirements with respect to PHI. On January 26, 2013, the Health and Human Services, Office of Civil Rights published the most recent rule addition to HIPAA, the Omnibus Rule, as a means of actually implementing the changes that were outlined in HITECH. Among changes made by the Omnibus Rule were the additional rights given to individuals with respect to their PHI, the expanded responsibility on business associates and subcontractors, the imposition of a new breach notification system and the expanded enforcement and penalties. Through this expansion of individual rights, patients may now request to receive a copy of their electronic medical records. Patients may also restrict the disclosure of their PHI to health plans in situations where they pay for the services or treatments entirely out-of-pocket. The Omnibus Rule sets new limits on how information can and cannot be shared or disclosed for marketing and fundraising activities and also prohibits the sale of PHI without an individual’s authorization.
One of the most significant changes that was brought about by the addition of the Omnibus Rule was that business associates were made directly liable under HIPAA. This means that business associates are accountable not only to the covered entities they work with but also straight to the HHS for their compliance with the privacy and security rules. This change added the requirements for business associates to conduct workforce training, implement security policies and procedures, appoint a privacy officer, and report breaches among other privacy and security rule requirements. The Omnibus Rule also extends liability to all the subcontractors of business associates, requiring them to protect and safeguard PHI to the same extent.
In the event of a breach of unsecured PHI, covered entities and business associates are required to report that breach to all affected individuals as well as the secretary of HHS, unless the covered entity or business associates are able to determine and prove that there is a low probability that the PHI has been compromised. To determine the probability of PHI having been compromised, covered entities and business associates must complete a thorough risk analysis, taking into account the nature and extent of the PHI that was involved, the person to whom the impermissible disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the risk to that PHI has been mitigated. The HITECH and Omnibus Rule now requires the HHS to impose harsher penalties for violations of the privacy and security rules. The Omnibus Rule introduced a tiered approach to imposing penalties depending on the organization’s perceived level of knowledge of the violation. Each tier contains ranges in fine amount per violation based on the level of negligence with a max of $1.5 million in fines for multiple violations of an identical provision in the calendar year.
The Omnibus Rule also gave the state attorney general the authority to enforce the HIPAA rules and impose civil and criminal penalties against covered entities and business associates. Covered entities must also review and revise their notice of privacy practices to reflect the HITECH and Omnibus Rule changes, including the new breach reporting requirements, changes related to disclosure of PHI to health plans plus the marketing and sale of PHI. Congratulations! You’ve completed Accountable’s HIPAA training. Now, all that’s left is to complete the quiz at the end of this tutorial. Good luck!