When the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, health care providers were required to follow privacy and security standards for Protected Health Information (PHI). Since that time, HIPAA rules have expanded to include electronic health care records as well. The latest change to the law, enacted in 2013, is the Final Omnibus Rule. Here we share what this rule means for your business.
Business Associate Designation
The HIPAA Final Omnibus Rule marks the most sweeping changes to patient privacy protection since the inception of the law. These changes apply to health care providers and their “business associates,” which are defined as any organization that stores, receives, creates and maintains PHI on behalf of a covered entity. Under the rule, the definition of a business associate has expanded to include:
- Organizations or persons that provide data transmission services with respect to PHI for a covered entity
- Vendors offering PHI records to individuals on behalf of a covered entity
- Subcontractors that receive, create, or maintain PHI on behalf of a Business Associate
If your company falls under any of these categories, or handles PHI in any way, it must have a business associate agreement requiring:
- Compliance with the Security Rule
- Breach reporting standards
- Compliance with the Privacy Rule
The Final Omnibus Rule changes the definition of a “breach.” Before it was enacted, limited sets of used or disclosed PHI that did not contain dates of birth or ZIP codes were eliminated from breach notification rules. Now, even limited sets of data, regardless of content, must be handled like all other breaches of PHI. As a result, it’s important to maintain a strict chain of custody when handling all types of PHI.
Breach Notification Rules
Breach notification rules have not changed under the Final Omnibus Rule. Covered entities are still required to notify affected individuals no later than 60 days after the discovery of a breach. They must also provide notice to the media and the Department of Health and Human Services. However, in the instance of a breach, both covered entities and business associates must demonstrate that notification requirements are met or provide documentation that unauthorized use of disclosure did not constitute a breach. In short, your business should have documented policies and procedures in place to detect and respond to breaches of PHI.
If you are a HIPAA covered entity or business associate, the Final Omnibus Rule impacts your organization. If you need further compliance guidance, we can help.
Pacific Records Management provides HIPAA-compliant records and information management solutions for businesses throughout Fresno, Stockton, Sacramento, Modesto, and Napa and Solano Counties. For more information, please contact us by phone or complete the form on this page.