IT HIPAA Compliance: Five Things You Should Know About the Omnibus Rule

AE Technology Group
AE Technology Group
2 min readFeb 17, 2014
IT HIPAA Compliance

It’s been six months since the newly passed HIPAA Omnibus rule went into full effect. The goal of the new rule was to provide better protections for patient information.

For health providers and IT companies, it’s all about compliance, and non-compliance can bring stiff penalties from the Office of Civil Rights.

Have you ensured your office is aligned with the new requirements? Here are five things to check:

  • Business associate accountability. The new rule expands how “business associates” are defined. In a nutshell, any company that sends or regularly accesses patient data is a business associate. This opens up a huge arena of liability. Each associate is responsible for protecting the data they are entrusted with, and the “source” of the data breach is the entity that will be held accountable. Business associates might include health IT companies, personal health record vendors, e-prescribing gateways or anyone that transmits or gathers your patient data. Be sure you are protected by having a valid Business Associate Agreement with all your subcontractors that clearly outlines their responsibility.
  • Patient access. The rule stipulates that patients must have access to their medical records in the electronic format they prefer, even if the patient’s requested format creates a security risk. Hospitals and providers are only obligated to let the patient know about the increased risk.
  • Marketing partners. Providers must obtain permission from each patient before partnering with a third-party service for marketing purposes. This would include third-parties that wish to sell to the patient or simply collect payment. If the third-party needs access to patient data, the patient must give permission first. Marketing agreements that were already in place before the Omnibus rule have until September 23, 2014 to obtain permission.
  • Protected data for the deceased. Providers can release health care data regarding a deceased person to family members, close friends or others that the patient indicated was involved in their care or payment for care. However, data is no longer protected once the patient has been dead for 50 years.
  • The role of a risk analysis. There are many aspects to the Omnibus rule. The most effective way to measure compliance is to perform a regular risk analysis. If a data breach were to occur, the Office of Civil Rights will want to see evidence that the company performed a risk analysis.

Health care is going through tremendous reform. Legislative requirements are continuing to evolve. As a result, it’s imperative for health care organizations to have an IT partner they can trust. AE Technology Group specializes in Health Care IT. We know IT and we know the health care industry, including IT HIPAA compliance.

Contact us to find out how we can ensure your office is in compliance and meeting legislative requirements.

--

--