What Do I Need To Do to Comply with the HITECH Omnibus Rule? (the short version, please)

by | Mar 4, 2013 | HIPAA, Legislation & Rulemaking

What Do I Need To Do to Comply with the HITECH Omnibus Rule? (the short version, please)

long list (picture).pngThe HITECH Omnibus Rule clocked-in at 563 pages, and we have read, digested and condensed the nuts and bolts for you here in our February 2013 edition of our Health Law Diagnosis newsletter.  But if 11 pages is still too long for you, then here is a checklist that bullets out the basics of what Covered Entity Health Care Providers need to know in order to update their compliance programs for HITECH & the Omnibus Rule:

  • Update the following HIPAA Policies & Procedures:
    • Patient Rights to Access:  Patients now have a right to an electronic copy of their ePHI. An updated policy should address processes for how much data the patient can get; how much you can charge for producing electronic formats; security safeguards to be applied with transfer of ePHI to the patient, and others issues.
    • Patient’s Right to Restrictions: When a patient pays for services  “out-of-pocket” and in full, you must abide by any request the patient makes to restrict PHI generated from that visit from being disclosed to their health plan. The procedures should address how to flag such episodes in the record and abide by the restriction; informing patients that if disclosures are “required by law” then their restriction would not prevent such disclosures; how to notify individuals that the restriction only applies to the provider restricting disclosures to the health plan, and does not necessarily prevent downstream disclosures (i.e., if a prescription is sent to the pharmacy, then the pharmacy may submit a claim for payment to the patient’s health plan).
    • Fundraising: You must provide a “clear and conspicuous” opportunity for  individuals to opt-out of future fundraising communications. You cannot condition treatment/payment on any decision.  The NPP must include a sentence about this right to opt-out.
    • Marketing: Communications that encourage a patient to use a product or service are considered marketing and require the patient’s signed HIPAA Authorization, unless the communication falls within specific new exceptions; but, if there is any payment exchanged for making such communication, then it may still be  prohibited. This HITECH change is complicated, and revisions to this policy requires careful drafting to not be overly restrictive or too permissive.
    • Prohibition on Sale of PHI: Policies must be updated to reflect that in any case where there is payment exchanged for PHI, that this must be flagged and is prohibited unless it falls within one of the specifically listed exceptions.  Otherwise, the patient’s HIPAA Authorization is required. 
    • Security Breach Notification: Policies governing security incidents and mitigation when there is an unauthorized disclosure of PHI must be updated to synchronize with new Security Breach Notification obligations. A stand-alone new policy to govern Security Breaches is recommended for compliance with HITECH.  Note that any draft polices that were prepared under the Interim Final Breach Rule must now be updated as a result of the Omnibus Final HITECH Rule to reflect that the “Harm” threshold no longer applies, there is a presumption of Breach.
    • Definition of PHI:  Policies should reflect two important changes to the definition of PHI (i) that Genetic Information is PHI, and is prohibited from being used for underwriting purposes; and (ii) that PHI of decedents is no longer protected by HIPAA 50 years after their death.  This last change should also be synchronized with an organization’s medical retention policies, and with how they will deal with BAs who do may retain PHI after termination of the underlying services contract (i.e., when return or destruction of PHI not possible).
    • Public Health Disclosures: this policy should be updated to reflect the Omnibus Rule change that now permits proof of immunizations to be released to schools where the school is required by law to have that information.   The policy should reflect that the parent or guardian’s approval is still required, which can be satisfied by documenting a phone conversation, an email or by other methods.
    • Minimum Necessary: this policy must reflect that Covered Entities and Business Associates must limit uses and disclosures of PHI to only the minimum amount necessary, or to the limited data set.  Also, update BA Agreements accordingly.
    • Research: If your organization engages in research, policies can permit compound authorizations, condition participation on authorization, and obtain authorization for future research now, post-HITECH and Omnibus.  
    • De-identification: this policy should be reviewed and updated to reflect OCRs new guidance on de-identification, see here.
    • Accounting of DisclosuresSTAY TUNED ON THIS ONE.  HHS declined to finalize  the proposed expansion of AOD to treatment, payment and health care operations, or the Access Report in the Omnibus Rule. This will be subject to a future Final Rule. In the meantime, Covered Entities may follow the “old” HIPAA standard for Accounting for Disclosures.

    • Update your HIPAA Business Associate Agreements:  HIPAA BA Agreements must be updated to reflect required language.  Covered Entities will also want to address issues such as determining if a BA is its “agent”, which carries with it significant implications post-HITECH, and including indemnity provisions as a result.  It is also recommended that Covered Entities address BA’s rights with regard to using de-identified data, and what to do with information 50 years after a patient’s death, among other issues.
    • Update Your HIPAA Authorization:  If you are sending marketing communications, you must update your Authorization forms to indicate this.  If you are using HIPAA Authorizations for research, make sure to update them for the new changes.
    • Update your Fundraising forms: If your organization engages in fundraising activities, then you must update your communications for the new “opt-out” requirement.

    For more help, email me at helen@oscislaw.com for more information about forms and checklists available in our HIPAA HITECH Helpbook, or our HIPAA HITECH Workshop.

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives