2013 hipaa omnibus modifications
1 / 27

2013 HIPAA Omnibus Modifications - PowerPoint PPT Presentation

  • Uploaded on

2013 HIPAA Omnibus Modifications. Patti Kritzberger, RHIT, CHPS, CPHP North Dakota Health Care Review May 1, 2014. Omnibus Composition. HITECH Privacy & Security Business Associates Marketing & Fundraising Sale of PHI Right to Request Restrictions Electronic Access

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '2013 HIPAA Omnibus Modifications' - arion

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
2013 hipaa omnibus modifications

2013 HIPAA Omnibus Modifications

Patti Kritzberger, RHIT, CHPS, CPHP

North Dakota Health Care Review

May 1, 2014

Omnibus composition
Omnibus Composition

  • HITECH Privacy & Security

    • Business Associates

    • Marketing & Fundraising

    • Sale of PHI

    • Right to Request Restrictions

    • Electronic Access

  • HITECH Breach Notification

  • HITECH Enforcement

  • GINA Privacy

  • Other Non-Statutory Modifications

    • Research

    • Notice of Privacy Practices

    • Decedents

    • Student Immunizations

Important omnibus dates
Important Omnibus Dates

  • January 25, 2013 – Part II, 45 CFR Parts 160 and 164 Published in the Federal Register

  • March 26, 2013 – Effective Date

  • September 23, 2013 – Compliance Date

  • September 24, 2014 – Transition Period for BA Contracts

  • Most interim rules were now final rules except: 1) Accounting for Disclosures/Access Reports; 2) Minimum Necessary Guidance; and, 3) Distribution of penalties & settlements to harmed individuals

Key modifications of omnibus
Key Modifications of Omnibus

  • Implementation of the HITECH changes issued in the proposed rule of 2010

  • Business Associates – directly liable for compliance with certain HIPAA Privacy & Security Provisions

  • Strengthens limitations on use and disclosure of PHI – marketing & fundraising

  • Prohibits sale of PHI without authorization

  • Expands patient’s rights to receive electronic copies of health information

  • Restricts disclosures of information to a health plan for treatment if patient has paid out of pocket

  • Modify and redistribute Notice of Privacy Practices

  • Modify individual authorization & other requirements to facilitate research, disclosure of child immunizations & enable access to decedent information

Business associate definition old rule
Business Associate Definition – OLD RULE

The old HIPAA Rule defined “business

associate” to mean a person who performs

functions or activities on behalf of, or certain

services for, a covered entity that involve the

use or disclosure of protected health


Business associate definition new rule
Business Associate Definition – NEW RULE

The final rule adopts the language that

expressly designates as business associates:

(1) A Health Information Organization, E-

prescribing Gateway, or other person that

provides data transmission services with

respect to protected health information to a

covered entity and that requires routine access

to such protected health information; and, (2) a

person who offers a personal health record to one

or more individuals on behalf of a covered entity.

Business associates subcontractors
Business Associates-Subcontractors

In the new rule, a business associate includes a

“subcontractor that creates, receives,

maintains, or transmits PHI on behalf of the

business associate.”

“Subcontractor” is clarified as “a person to whom a

business associate delegates a function,

activity, or service, other than in the capacity of

a member of the workforce of such a business


Conduit exception
Conduit Exception

  • Exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission

  • Intention – to exclude only those entities providing a mere courier service, such as the USPS, Federal Express, and their electronic equivalents


  • Omnibus Rule Definition: “a communication about a product or service that encourages recipients to purchase or use the product or service.”

  • If the covered entity is receiving financial remuneration over and above labor, supplies and postage costs from a third party to make these communications, the covered entity must obtain an authorization


  • PHI can be used in these new categories of fundraising:

    • Department of Service

    • Treating Physician

    • Outcome Information

    • Health Insurance Status

  • The ability to opt out must be clearly defined and must not cause undue burden or effect treatment or payment

  • If patient opts out – NO fundraising communications can be made to patient

Sale of phi
Sale of PHI

  • Covered entities cannot receive remuneration in exchange for PHI, even where disclosure is permitted, unless authorized by individual

  • If an authorization is obtained it must specifically state that remuneration will result from the disclosure

Sale of phi exceptions
Sale of PHI Exceptions

No Limits Defined

  • Treatment and Payment

  • Public Health

  • Sale of Covered Entity

  • Business Associate-Related Services

  • Disclosures Required by Law

    Limits Defined

  • Research

  • Access to PHI and accounting of disclosures

  • Other permitted disclosure –reasonable and cost-based fees to prepare and transmit PHI

Right to request a restriction of uses and disclosures
Right to Request a Restriction of Uses and Disclosures

Old Rule: Individuals could request that a covered

entity restrict uses or disclosures of the PHI but

covered entities were not required to agree to the


New Rule: If an individual requests to restrict

disclosure to a health plan for the purpose of

payment or health care operations and the restriction

applies to PHI that pertains to a health care item or

service for which the individual has paid in full out of

pocket, the covered entity must agree unless the

disclosure is required by law.

Access to electronic health records
Access to Electronic Health Records

  • If PHI is electronic, an individual can request a copy and the covered entity must provide access in the requested electronic format if readily producible.

  • If not readily producible, the individual and covered entity must agree on a readable electronic format

Access to electronic health records cont
Access to Electronic Health Records, cont

  • If requested, covered entity must transmit ePHI to individual’s designee

    • Request must be in writing & signed

    • Clearly identify designee and where to sent

  • Covered entity does not have to purchase new software to comply with this but must have capability to provide some form of electronic copy

  • If an individual declines to accept an alternate electronic format than requested, covered entity can default to paper copy

  • Covered entity is not required to accept a personal device from individual but can’t require them to purchase device from covered entity

Access to electronic health records cont1
Access to Electronic Health Records, cont

  • Charging: covered entity can charge for

    • Labor for copying (reviewing request & producing copy)

    • Cost of electronic media (CD, USB, etc)

  • Timeframe to act on Request: covered entity has 30 days (with one 30-day extension) to act on the request

Breach definition
Breach Definition

  • New Definition: (Removes the risk of harm) “Impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, can demonstrate low probability that the PHI has been compromised,” based on a risk assessment of:

    • Nature and extent of PHI involved (types & likelihood of re-identification)

    • Who received/accessed the information

    • Potential that PHI was actually acquired, viewed or disclosed

    • Extent to which risk to the data (PHI) has been mitigated

Breach notification
Breach Notification

  • The other provisions of the 2009 Interim Final Rule are made permanent, including:

    • Notification timeline (starts at date of discovery)

    • Content & methods of notification

    • Notification by Business Associate

    • Minor modification regarding notice to Secretary of smaller breaches – to occur within 60 days of end of CY in which breach was discovered

    • Documentation and burden of proof

Potential breaches
Potential Breaches

  • One employee inappropriately accessing another employee’s chart

  • Employee inappropriately accessing family members’ or friends’ charts

  • information sent, faxed or emailed to the wrong address/fax number/email address

  • Inappropriate access to high profile individual’s information (celebrity, etc)

  • Posting information on social media that contains specific information that can be linked to a patient

Five fine determining factors
Five Fine-Determining Factors

  • Nature & extent of the violation – including number of people involved & the time of the breach

  • Nature & extent of harm resulting from violation – physical, financial, reputational

  • History of prior compliance with administrative simplification provision, including violations by CE/BA

  • Financial condition of CE/BA

  • Other matters as justice may require

Gina act

  • Health plans impacted – not covered entities

  • Clarifies that genetic information is health information

  • Other health plans than LTC plans may not use or disclose genetic information for underwriting purposes

Notice of privacy practices
Notice of Privacy Practices

  • New notices were to be out 9/23/13

  • Must add information regarding:

    • Sale of PHI

    • Duty to notify affected individuals of a breach of unsecured PHI

    • Right to opt out of fundraising (if applicable)

    • Right to restrict disclosures of PHI when product or service was paid in full out of pocket

    • Limit on use of genetic information (certain health plans)


  • 50 year after death, the PHI of a deceased patient is no longer considered protected health information

  • If not contrary to any prior expressed preference, a covered entity may disclose PHI to person(s) involved in the decedent’s care or payment

Student immunizations
Student Immunizations

  • Under the new rule, covered entities no longer have to have an authorization to release immunization information to schools if:

    • State or other law requires the school to have the immunization record prior to admitting the student

    • The covered entity has received written or oral authorization (oral authorization must be documented)

References and resources
References and Resources

  • www.hipaasurvivalguide.com

  • www.himss.org

  • www.ahima.org

  • Webinar – Laura Rosas – ONC Office of the Chief Privacy Officer

  • Webinar – Danika Brinda – REACH/College of St. Scholastica

  • The HIPAA Omnibus Rule, A Compliance Guide for CEs and BAs – Kate Borten, CISSP, CISM

  • Optum – 2014 HIPAA Tool Kit

  • Regional Extension Assistance Center for Health Information Technology (REACH)

    • http://www.khaREACH.org

2013 hipaa omnibus modifications

North Dakota Health Care Review, Inc. . . .

Improving health and healthcare for the people of North Dakota

Patti Kritzberger, RHIT, CHPS, CPHP


3520 North Broadway  Minot, ND 58703