WHAT CHANGES HAVE BEEN MADE TO HIPAA?

• On September 23rd, 2013 the Omnibus Rule went into effect. The Omnibus Rule amends HIPAA’s (the Health Insurance Portability and Accountability Act of 1996) Privacy and Security Rules, which now apply not only to Covered Entities (CEs) like health-care providers BUT ALSO to third-party Business Associates (BAs) like IT vendors, attorneys, accountants, and others who come in contact with Protected Health Information (PHI).
• These enhancements were first suggested in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act. More commonly known as the “stimulus,” ARRA made federal funds available to speed up the adoption of Electronic Health and Medical Records (EHR and EMR).
• The bulk of the changes center on how PHI is handled, how new Business Associate Agreements (BAAs) are implemented, how data breaches are reported, and what penalties can be applied in the case of a breach.

WHAT ARE THE RAMIFICATIONS OF THESE RULES?

• If your business or medical practice accepted stimulus funds for EHR/EMR, be prepared for a potential audit by the Department of Health and Human Services’ (HHS) Office of Civil Rights.
• If you know that a Business Associate or Covered Entity are not HIPAA compliant, you’re responsible for reporting them.
• Data breaches affecting under 500 people must be reported annually to HHS yearly; data breaches affecting over 500 people must be reported immediately to HHS and the media.
• Failure to properly report data breaches or non-compliance can result in fines of between $1,000 and $1.5 million, along with publicly accessible listings on HHS’ “HIPAA Wall of Shame.”