Posts Tagged ‘business associate’

HIPAA/HITECH Omnibus Final Rule – Last Few Weeks To Comply!

In Uncategorized on August 27, 2013 at 6:38 pm

On January 17, 2013, the U.S. Department of Health and Human Services (“HHS”) issued a final rule (“Omnibus Rule”) affecting multiple aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the HITECH Act.  

The Omnibus Rule, commonly referred to by this name because of its sweeping scope, is comprised of four final rules that (in general and succinct terms):

  • modify aspects of HIPAA and its implementing regulations including the privacy standards located at 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”), the security standards located at 45 C.F.R. parts 160, 162 and 164, subpart C (the “Security Rule”), and enforcement standards located at 45 CFR part 160, subparts C, D, and E (the “Enforcement Rule”);
  • implement statutory amendments, including an increased and tiered civil money penalty structure, under the Health Information Technology for Economic and Clinical Health Act (“HITECH”);
  • modify the interim final rule for Breach Notification for Unsecured Protected Health Information located at 45 C.F.R. part 164, subpart D (the “Breach Notification Rule”), including replacing its harm threshold for breach notification requirements with a default presumption that an acquisition, access, use, or disclosure of PHI that violates the Privacy Rule is a breach, and supplant the Breach Notification Rule as of the Compliance Date (covered entities and business associates must continue to comply with the interim rule in the meantime); and
  • modify the HIPAA Privacy Rule by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (“GINA”), clarify that genetic information is health information, and prohibit health plans, including group health plans, health insurance issuers (including HMOs), and issuers of Medicare supplemental policies, from using or disclosing genetic information for underwriting purposes.

The Omnibus Rule went into effect on March 26, 2013, and, except with respect to certain grandfathered business associate agreements, HIPAA covered entities and business associates must comply with its requirements by September 23, 2013.   The Business Associate’s Agreement between you and youe billing company – if entered into prior to March 26, 2013 – is in fact one of those that has been grandfathered in, and allowed a one-year extension in which to comply. 

The AMA summarized more fully the portions of the Omnibus Rule that impact the medical provider community.  Please be sure to review this carefully to ensure compliance.  Additionally, I have attached a sample HIPAA/Omnibus Notice of Privacy Practices, which, once modified to include specific data points pertaining to your practice, may be used by your practice going forward.  This sample was taken largely (but modestly adapted) from the sample Omnibus Notice published by MGMA. sample HIPAA Omnibus Notice of Privacy Practices-adapted from MGMA

As always, please do not hesitate to contact M.E.D.I.C., Inc. with any questions that you may have about this.


HITECH Provisions To Have Been Effective 2/17/10 Delayed…

In Uncategorized on March 18, 2010 at 5:52 pm

As we all know, HITECH provisions (which were contained in ARRA) were to go into effect as of February 17, 2010.  However, the mandatory opportunity for notice and comment mandated as part of the rulemaking process has not yet occured.  As such, the implementation of those HITECH provisions have been delayed.  The Department of Health & Human Services’ Office of Civil Rights posted the following notice on its website: 

HITECH Act Rulemaking and Implementation Update

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification.  New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009.  Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.