This article explores the proposed HHS Omnibus Rule. The HHS Omnibus Rule ("OR") mostly concerns sections of the HITECH Act that went into effect on February 18, 2010. There was an NPRM that was issued on July 14, 2010 that contained the changes proposed for the final rule. It is quite evident that HHS has not broken any "land speed records" in finalizing the OR, but all indications are that it will be forthcoming "soon." The full text of the OR can be found here. 

To continuing reading the article subscribe to our FREE newsletter or read it in the archives.

 Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

The HHS Omnibus Rule ("OR") mostly concerns rule making regarding sections of the HITECH Act that went into effect on February 18, 2010. There was an NPRM that was issued on July 14, 2010 that contained the changes proposed for the final rule. It is quite evident that HHS has not broken any "land speed records" in finalizing the OR, but all indications are that it will be forthcoming "soon." The full text of the OR can be found here.

In other words, the Omnibus Rule

("OR") is going to be a big deal; it will

likely set the tone for the HIPAA Rules

for the next three years...

This series of posts will contain a summary of the proposed rule so that we can begin to dissect it in anticipation of its release. The OR will be comprehensive in scope. Here's the money quote from the NPRM regarding its contents:

While passage of the HITECH Act necessitates much of the rulemaking below, it does not account for all of the proposed changes to the HIPAA Privacy, Security, and Enforcement Rules encompassed in this rulemaking. The Department is taking this opportunity to improve the workability and effectiveness of all three sets of HIPAA Rules. The Privacy Rule has not been amended since 2002, and the Security Rule has not been amended since 2003. While the Enforcement Rule was amended in the October 30, 2009, interim final rule to incorporate the enforcement-related HITECH statutory changes that are already effective, it has not been otherwise substantively amended since 2006. In the intervening years, HHS has accumulated a wealth of experience with these rules, both from public contact in various forums and through the process of enforcing the rules. In addition, we have identified a number of needed technical corrections to the rules. Accordingly, we propose a number of modifications that we believe will eliminate ambiguities in the rules and/or make them more workable and effective. Further, we propose a few modifications to conform the HIPAA Privacy Rule to provisions in the Patient Safety and Quality Improvement Act of 2005 (PSQIA).

In other words, the OR is going to be a "big deal" because it is likely to set the tone for the HIPAA Rules for at least the next three years (i.e. major revisions like this simply do not occur all that often). According to HHS, once the OR is finalized covered entities (CEs) and business associates (BAs) will get 180 days to comply. HHS also plans to update the HIPAA Rules to make the 180 days a "general rule" with respect to when compliance by stakeholders is effective after a rule change.

There are lots of detailed changes in the OR and so we will summarize these into various categories so as not to lose sight of the forest for the trees. We have already covered one big change and that is that business associates will be everywhere under the OR, because subcontractors of traditional BAs will themselves be treated as full fledged BAs. This change alone is big enough to shake up the existing compliance status quo and is a harbinger of things to come.

Here's Part II of this series of posts.

 Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

This month's article explores the use of social media and mobile devices in the healthcare industry and the potential risks associated with such rampant use. It is not a question of whether or not covered entities ("CEs") should engage in this type of use, the fact of the matter is that they are doing so in large numbers. This phenomenon is not about to stop anytime soon, nor should it. Social media and mobile devices provide CEs with a way to engage their patients in a manner that allows CEs to differentiate their offerings in an increasingly more competitive marketplace.

To read the rest of the article sign up for our FREE newsletter or read it in the archives.

 Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience? 

This article completely misses the point with respect to the applicability of HIPAA to lawyers. Lawyers are clearly business associates of covered entities. Under the HITECH Act business associates are required to comply with the HIPAA Security Rule. There is no "hole" in the law (or exemption) that excludes lawyers. In fact, lawyers are expressly named in the definition of a business associate. This law firm's covered entity is on-the-hook for providing breach notification to the patients whose records were comprised. Furthermore, the covered entity should have had  a business associate contract in place with its law firm.

So are all business associates created equal? The answer to that question is yes, in the sense that ALL must comply with the law as written. However, from a practical perspective, a law firm's compliance with the HIPAA Security Rule is not likely to be the same as a cloud-based EHR's vendor compliance and this is completely "appropriate and reasonable" under the Security Rule's Flexibility principle. Covered entities are going to have little choice other than to structure their business associate contracts specifically to the type of function performed by the business associate, and business associates will need to comply consistent with the function performed.

 Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience? 

There may be some disagreement as to when the HHS Omnibus Rule will actually arrive but everyone agrees that it is coming. Director Rodriguez confirmed as much last week. There is also very little doubt that the Rule is going to have a huge impact on business associates.

The revised business associate definition from the NPRM issued in July 2010 is as follows:

Business associate:

(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of protected health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in ß 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity may be a business associate of another covered entity.

(3) Business associate includes:

(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.

(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4) Business associate does not include: 

(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual. 

(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of ß 164.504(f) of this subchapter apply and are met. 

(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

A couple of changes in the definition require special mention:

1. The term "individual identifiable health information" has been replaced with protected health information (technical modification but nonetheless something to be aware of).
2. The "treatment" and other exceptions are now included in the definition instead of being scattered about the HIPAA Privacy and Security Rules.
3. Subcontractors of business associates are now on the hook.

The last point can be depicted graphically as follow:

It hasn't gotten nearly as much attention as it deserves, but that will change as soon as the Omnibus Rule is released. As Director Rodriguez said so artfully "stay tuned."

 Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?

We are re-visiting an earlier post because of some comments made by OCR Director Rodriguez last week. Comments that we wanted to call additional attention to because he was clearly sending a message, all you had to do was read a little between the lines.

We now live in a 24/7 365 real time

Twitter universe. The compliance

status quo is dead: the iPhone and

Facebook killed it. The new sheriff

in town gets it.

Don't be fooled by the "nice guy" act. He's a former prosecutor, those guys simply don't rise in the ranks because of their "niceness."  Having said that, he does genuinely seem to be a nice guy and a very smart one. He made the following comments that did not make it into our previous post on this topic:

1. Patient trust is key to success (read consumers and OCR simply won't tolerate the kinds of breaches that appear to be happening on a daily basis).
2. OCR has provided significant educational guidance with respect to how to get into compliance (read the excuse of "it's too expensive" or "we don't have the resources" won't prevent a finding of willful neglect).
3. After the NPRM is released covered entities and business associates will have 180 days to comply, but there is lots that can be done now (read there ain't going to be much tolerance past the 180 days).
4. Live by the program you create (read policies aren't enough, you better have the appropriate processes and tracking mechanisms in place).

Yes, OCR is way past due in meeting its regulatory obligations, BUT I don't think they are going to "laying down" for the healthcare industry. They can't. We now live in a 24/7 365 real time Twitter universe. The compliance status quo is dead, the iPhone killed it.

 Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?