Ten Tips for Omnibus Compliance

 

With a past-due compliance deadline of September 23, many organizations are finding themselves scrambling to ensure compliance and avoid penalties. The HIPAA Omnibus Rule makes business associates accountable for any misuse or failure to safeguard protected health information (PHI) and increases liability for noncompliance. Cintas Corporation recently released 10 tips to ensure health care practices remain compliant under the new rule.

“With penalties under the Omnibus Rule reaching up to $1.5 million per violation, it is crucial for organizations to put in place proper internal controls to ensure they remain HIPAA compliant,” says Karen Carnahan, president and COO of Cintas Document Management. “Protecting confidential patient information is critical to a health care institution’s success. In addition to HIPAA fines, health care providers risk long-term damage to their reputation and brand.”

To help achieve compliance under the Omnibus Rule, Cintas offers the following 10 tips:

1. Retrain employees. It is important to retrain employees on the updated policies and procedures addressing privacy, security, and PHI breaches as soon as possible.

2. Inventory vendors. The revised definition of “business associate” now includes a business associate’s subcontractors that create, receive, maintain, or transmit PHI. Review all relevant vendor relationships to determine if they are considered business associates under the Omnibus Rule.

3. Update agreements. The Omnibus Rule modifies the content requirements of business associate agreements. As a result, covered entities and business associates will need to revise existing business associate agreements. Health and Human Services has posted a sample version of a revised business associate agreement on its website.

4. Update general privacy policies and procedures. Review and revise internal policies and procedures, including HIPAA forms, to ensure that they reflect the changes made to the HIPAA Privacy Rules. The revisions should reflect changes to the definition of PHI and to the rules governing patient access to records, disclosures to third parties, research, marketing, fundraising and the sale of PHI, notifications to persons involved in a patient’s care, and other rules governing decedents and immunizations.

5. Update breach policies and procedures. Ensure policies and procedures are in place that allow you to determine if a breach occurred and if notice is required.

6. Determine if notice is required for a breach. Under the Omnibus Rule, if there is a breach, it is presumed that the covered entity or business associate must give notice unless they can demonstrate that there is a low probability PHI has been compromised, or unless a regulatory exception applies. Consider the following factors when determining the probability that PHI has been compromised:

• the nature and extent of the PHI involved, including the types of identifying information involved and whether the PHI is sensitive in nature;

• the characteristics of the unauthorized recipient of the PHI;

• whether the PHI was actually acquired or viewed;

• the extent to which the risk to the PHI has been mitigated after the unauthorized disclosure; and

• any other relevant factors.

7. Review breach-notification procedures. Make sure that required breach notifications are provided to the appropriate parties by the covered entity (or the covered entity’s business associate, if applicable) in a timely manner.

8. Encrypt or destroy PHI. The Omnibus Rule provides only two methods for securing PHI: encryption and destruction. The breach notification requirements only apply to breaches of "unsecured" PHI or information that is not secured by technology or methodology that renders the PHI unreadable, unusable, or indecipherable to unauthorized individuals. 

9. Review your Security Rule gap analysis. Now is the ideal time to review your HIPAA Security Rule gap analysis to ensure that it considers the changes made by the Omnibus Rule.

10. Revise and redistribute privacy practices. Be sure to update your HIPAA privacy notices to reflect the changes made by the Omnibus Rule.

To read the Final Rule in its entirety, visit www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

Source: Cintas Corporation