Nowadays, it seems that in every industry, regulatory guidelines are constantly evolving. New threats emerge all the time, business practices change, and technology forces governance groups to rethink how they can protect consumers and secure their data. HIPAA, perhaps the most important regulatory mandate for healthcare companies and service providers, has evolved numerous times through the years.
Since the Health Insurance Portability and Accountability Act was first established in 1996, it has been refined, upgraded, and adjusted with various new rules. The HIPAA Omnibus Rule, introduced in 2013 by the Department for Health and Human Services, is one of the most significant updates so far.
But what exactly is this rule, and how does it affect healthcare teams and their business associates? Here’s everything you need to know.
What Is the HIPAA Omnibus Rule?
The Omnibus Rule was established to help consolidate and clarify various aspects of HIPAA’s guidelines, such as the privacy rule, security rule, and breach notification rule.
On a broad level, it asked healthcare professionals and companies to alter their Business Associate Agreements, ensure third parties were complying with HIPAA’s security rules, and adjust their approach to communicating with patients about potential breaches.
The HIPAA Omnibus Rule is part of a long line of improvements to HIPAA guidelines. While HIPAA’s privacy rules came into force in 2003, the regulations have continued to evolve since.
In the early 2000s, technology evolved, reshaping how healthcare companies collect patient data and work with specialists to deliver services. The healthcare industry has also moved from paper records to health information technology, which led to a new range of threats.
In 2009, Congress passed the HITECH Act to extend the definition of “Business Associate” and bring new entities into the HIPAA landscape.
This Act also increased penalties for HIPAA violations, while boosting privacy protections, and adding new restrictions for the use of electronic PHI in marketing activities. By 2013, the Department of Health and Human Services needed to simplify HIPAA compliance, while balancing clinical and economic health, leading to the creation of the Omnibus Rule.
The Major Changes Created by the Omnibus Rule
The HIPAA Omnibus Rule has led to numerous changes in how healthcare companies can safely and securely use software and technology, and how they should store and protect data. Here are some of the biggest changes initiated by the rule.
Evolutions in Patient Access and Control
The Omnibus Rule provides patients with more rights to determine how organizations can use their healthcare information.
It also ensures individuals can request access to electronic copies of their Protected Health Information at any time. Today, failure to provide patients with this information is considered a “critical compliance failure.”
The rule also changed guidelines related to the disclosure of electronic PHI, establishing that covered entities must follow any requests made by patients not to disclose their PHI to healthcare service providers.
Updating Breach Notifications
One major change initiated by the Omnibus rule influences how healthcare companies and other covered entities inform patients about potential data breaches. In the past, to remain compliant, companies only had to send notifications to patients if there was a risk of harm being caused to more than 500 individuals. The new rule makes the number of records impacted by a breach irrelevant.
Organizations need to ensure they can prove that security incidents didn’t compromise a patient’s private data, or they need to submit a breach notice. For instance, if an employee accidentally fell victim to a scam that gave an outside entity access to an email system, the entity would need to prove the emails were encrypted and unreadable, or submit a breach notice.
Notably, the Omnibus Rule also introduced a new four-stage process for risk assessment, intended to streamline incident responses, and immediately inform covered entities whether they need to inform regulators and individuals of breaches.
Selling PHI and Marketing Restrictions
Thanks to the Omnibus Rule, all HIPAA-compliant organizations now need to obtain written, explicit consent from individuals before they sell healthcare data to any other party.
Individuals also have the right to prevent parties from selling their personal health information. Although organizations can still sell PHI with consent, they need to make it clear that they do this in their privacy policies.
Additionally, the Omnibus Rule likewise requires explicit consent from patients to use personal health information in marketing operations. Providers can’t simply provide patient details to pharmaceutical companies or device manufacturers without consent, and they can’t use PHI to drive their marketing strategies without the consent of their patients.
Genetic Information, Research, and Reasonable Disclosures
The Omnibus Rule combines HIPAA regulations with the Genetic Information Non-discrimination Act (GINA), introduced in 2008. This law shields individuals from being discriminated against by providers based on their genetic makeup, meaning that covered entities can’t use genetic data about a patient to make decisions about pricing or insurance coverage.
Elsewhere, the 2013 HIPAA update has made it easier in some ways for companies to collect data for research and analysis purposes. For instance, healthcare organizations can obtain consent for research participation in multiple studies using a single form. Researchers also have a method in place for obtaining “prospective” consent for future studies.
Additionally, the Omnibus Rule also introduced the concept of “reasonable disclosure,” which means that healthcare providers can more easily share student immunization information with schools, with agreement from a parent or guardian.
Changes in Regulatory Fines
Finally, the Omnibus Rule introduced a new four-tier system of penalties for those who violate HIPAA guidelines. When deciding on penalties, the Office for Civil Rights now needs to take into account:
- How long the violation lasted
- The number of affected individuals
- The impact of the violation on patient privacy and safety
HIPAA currently caps annual penalties at $1.5 million for each different type of violation, which has significantly increased the largest penalty companies can be given.
Managing the Changes Created by the Omnibus Rule
Ultimately, complying with the new standards implemented by the Omnibus Rule is mandatory for all Business Associates and healthcare companies (or covered entities). Even though it was enacted over a decade ago, the patchwork nature of regulatory frameworks has left many healthcare organizational leaders overwhelmed and confused.
To be fully HIPAA compliant, you’ll need to:
- Carefully assess security and privacy practices. Reconcile consent processes to reflect the requirements of the Omnibus Rule, and ensure patients are informed of their rights.
- Update Business Associate Agreements. BAAs should require all associates to follow the latest HIPAA security rules, and must cover all relevant privacy rules.
- Improve risk assessment policies. Business leaders will need to implement four-step risk assessment plans for PHI exposure, and amend their notification policies.
- Train employees. Update training and implement new strategies for detecting breaches. Educate both employees and associates on HIPAA rule requirements.
- Aduit marketing agreements. Revisit patient marketing consent agreements and contracts with third-parties, and end any non-compliant collaborations.
Make Sure You Follow the HIPAA Omnibus Rule
The HIPAA Omnibus Rule has introduced new requirements to both covered entities and business associates alike. Failure to adhere to them could put organizations at risk of significant fines, reputation damage, and loss of patient trust. Make sure your strategy aligns with these updates, and ensure you’re staying current with new policies and rules as they emerge.