With the passing of the Omnibus Rule, HIPAA came into its present form. Protections from the Privacy and Security Rules are now more stringent. And failure to meet any of the HIPAA rules is now met with greater fines, even when the organization doesn’t realize it broke a rule.
Is your organization HIPAA compliant? Schedule a free consultation to find out!
The HIPAA Omnibus Rule: HIPAA As We Know It
If your organization processes protected health information (PHI), there’s a good chance you need to comply with the Omnibus Final Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Omnibus Rule extended HIPAA’s reach and stakes, giving it the country-wide and cross-industry regulatory strength it is known for today.
A complete understanding of the rule and all that it implies starts with the regulatory context around its introduction in 2009. Then, you’ll need to consider the full scope of HIPAA’s three prescriptive rules, which the HIPAA Omnibus Rule enhanced by augmenting Enforcement.
Deeper, Broader PHI Protection Under HITECH Act
HIPAA dates back to 1996. However, its current form is more recent, as Omnibus Rulemaking incorporated several elements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) into the HIPAA Rules. HITECH encouraged the transition away from paper and other physical recordkeeping to electronic health records (EHR).
While incentives made the transition easier, they also came with a regulatory trade-off.
HITECH raised the stakes of HIPAA compliance, applying Security Rule protections to most or all protected health information (PHI). Furthermore, it introduced a tiered penalty system for non-compliance, eliminating exceptions for insignificant or negligent violations.
This all amounted to strengthening the HIPAA Omnibus Rule—its requirements are now much more challenging to follow, and the penalties for not following them are significantly higher.
The HIPAA Privacy Rule: Authorized Access, Defined
The first and most foundational rule in HIPAA is the Privacy Rule. It defines basic concepts like what information is protected and which parties all of the HIPAA rules apply to. Before the Omnibus Final Rule, it also established the initial penalty structure for HIPAA violations.
The most important takeaways from the Privacy Rule are that Covered Entities (see below) need to limit the access to and use of PHI to a select set of uses. There are two kinds of uses required: disclosure to the subject of the PHI, upon their request, and to the HHS in compliance investigations. Beyond these, there are also Permitted Uses and Disclosures (see below).
Critically, these restrictions apply only to personally identifiable information (PII). De-identified PHI is not subject to the same restrictions. One of the best defenses against non-compliance is implementing rigorous de-identification programs to limit the amount of PII on your network.
HIPAA Covered Entities and Business Associates
Generally speaking, HIPAA applies to all organizations that come into contact with PHI, which includes information about patients’ health conditions, treatment, and payment for treatment.
However, HIPAA designates three kinds of Covered Entity to whom HIPAA applies most directly:
- Healthcare providers, including individual practices and group care facilities
- Healthcare insurance plans and all parties involved in their administration
- Healthcare clearinghouses, such as payment and other processing services
Beyond these entities, HIPAA requirements can also apply to Business Associates thereof, even if these third parties operate in a different industry altogether. This is a direct influence of the HITECH Act and Omnibus Rulemaking. As a result, attorneys, accountants, and other partners who come into contact with PHI through their work with a Covered Entity now need to comply with HIPAA. Business Associate contracts establish their responsibilities to that effect.
Permitted and Required Uses and Disclosures
There are certain cases in which PHI can be disclosed outside of the Required Uses mentioned above. They are enumerated as Permitted Uses and Disclosures under the Privacy Rule:
- To the subject – Disclosure to the subject of the PHI or their representative(s)
- For healthcare uses – Uses critical to healthcare functions, such as:
- Treatment applications, including provision and management
- Payment for healthcare treatments, procedures, and transactions
- Operations of healthcare facilities, including business administration
- With implied agreement – Uses with an opportunity to agree or object, as in:
- Retention of personally identifiable details in facility directories
- Communication of or about PHI with subjects’ family members, etc.
- Incidental – Individual, relatively insignificant uses or disclosures that occur alongside other required or permitted uses incidentally, provided security measures are in place.
- In the public interest – Uses for public benefit activities, including but not limited to:
- Disclosure as mandated by state regulations or court orders
- Uses in service of public health activities, such as research
- Disclosures to governmental bodies to protect victims of abuse
- Disclosures required for health oversight activities, such as audits
- Uses requested by law enforcement for the purposes of investigation
- Disclosures to funeral home directors and end-of-life care facilitators
- Uses related to organ, tissue, or other forms of donation upon death
- Disclosures for scientific research aimed at generalizable knowledge
- Uses critical to preventing threats of harm to individuals or the public
- Uses necessary for critical governmental functions
- Disclosures necessary for workers’ compensation claims
- Of a limited data set – Partially de-identified data may be used for research, operations, public benefit, or other uses, as long as the subject agrees and safeguards are in place.
Outside of these cases, and unless expressly authorized by the data subject, PHI cannot be used or accessed. Measures to prevent such uses are delineated in the Security Rule.
The HIPAA Security Rule: How to Safeguard PHI
The Security Rule establishes measures organizations should implement to ensure PHI is not accessed inappropriately. In particular, the Security Rule ensures the confidentiality, integrity, and availability of PHI. To do so, it requires organizations to monitor for and prevent “reasonably anticipated” risks through rigorous risk assessment and implementation of specific safeguards.
When the Security Rule was first adopted, it applied specifically to electronic PHI (ePHI), not conventional paper and other records. However, as a result of HITECH and Omnibus Final Rulemaking, these safeguards now apply to all PHI and PHI environments.
In effect, the Security Rule is an extension of the Privacy Rule.
Managing Risks to PHI Confidentiality, Integrity, and Availability
The Security Rule ensures the confidentiality, integrity, and availability of PHI. Confidentiality is synonymous with privacy or restriction of inappropriate access. Integrity means that no changes are made to data (including deletion) without authorization. And availability means that PHI is able to be provided in authorized or permitted cases—easily accessible and without delay.
The first method for ensuring these pillars is scanning for risks that would threaten them.
The HHS does not specify any metrics or protocols that risk analysis needs to include. However, it does provide guidance on HIPAA Risk Analysis, which emphasizes the importance of:
- Vulnerabilities – These are weaknesses in your IT or security infrastructure that could lead to PHI being compromised if an attack, disaster, or other threat were to arise.
- Threats – These are agents (human or otherwise) that could exploit a vulnerability and compromise PHI, including natural hazards and human negligence or malicious intent.
- Risks – This is the relationship between vulnerabilities and threats, expressed in terms of how likely an incident is to occur and the potential impact that would result if it does.
Beyond taking stock of these, your organization needs to implement proactive safeguards to prevent and mitigate them. These include but are not limited to the sets of administrative, physical, and technical safeguards named in the Rule.
The HIPAA Breach Notification Rule Requirements
The Omnibus Final Rule also requires organizations to report breaches of PHI. Any disclosure not permitted by the Privacy Rule, or any incident that the Security Rule requires preventing, could constitute a breach—unless it can be proven that PHI breached was de-identified.
If a breach occurs, you’ll need to provide notice, without reasonable delay, including:
- The nature of the PHI involved in the breach, and to what extent it is involved, including the identifiable information breached and the relative likelihood of its re-identification.
- The identity of the individual or other entity to whom PHI was disclosed inappropriately.
- Whether or not the PHI that was disclosed was viewed or otherwise used by the entity.
- Whether and to what extent risks to the PHI have been mitigated by the Covered Entity.
In all cases, Covered Entities must provide this notice to the individuals impacted by the breach (those identified in the PHI). This notice must be provided in writing within 60 days of breach discovery. If the Covered Entity lacks contact information for 10 or more people, it must make reasonable efforts to contact them and host information about the breach on its website.
Covered Entities must also provide notice to the HHS Secretary. This can be provided on an annual basis unless the breach in question impacts more than 500 people. In such cases, the HHS Secretary must be notified within 60 days. Likewise, these bigger breaches impacting 500 or more people necessitate notice to prominent media organizations in impacted locations.
The HIPAA Enforcement Rule: Fines and Processes
The HIPAA Enforcement Rule saw some of the biggest changes announced by HITECH. It gave the Office for Civil Rights (OCR) more power to enforce HIPAA rules with a more regimented investigation process. As noted above, the HIPAA Omnibus Rule enhanced the stakes of compliance by changing the penalty and enforcement structure.
Namely, HITECH introduced a tiered system for classifying and penalizing violations:
- Tier 1 Violations – If a Covered Entity committed a violation but was unaware or could not have avoided the circumstances leading to it, it is considered a “Lack of Knowledge.”
- Per-violation fines range from $127 to $63,973 (annual cap: $1,919,173)
- Tier 2 Violations – If a Covered Entity is expected to have known about the violation but still could not realistically have prevented it, it’s considered to have “Reasonable Cause.”
- Per-violation fines range from $1,280 to $63,973 (annual cap: $1,919,173)
- Tier 3 violations – If a Covered Entity directly neglected their responsibilities, resulting in a violation, and they took actions to correct it, it’s “Willful Neglect” (with correction).
- Per-violation fines range from $12,794 to $63,973 (annual cap: $1,919,173)
- Tier 4 violations – If a Covered Entity neglectfully commits a violation and then either refuses or fails to take action within 30 days, it’s “Willfull Neglect” (without correction).
- Per-violation fines range from $63,973 to the annual cap of $1,919,173
As these tiers show, organizations are not excused from fines if they were unaware of a violation. These low-Tier offenses are still penalized, though at the lowest level. It should also be noted that HITECH allowed for a stay of penalty imposition for Tiers 1 and 2 in cases where Covered Entities “correct” the violation within 30 days—per the OCR’s discretion.
Meet Omnibus Rule HIPAA Requirements with HITRUST
One way to meet the enhanced requirements of the Omnibus Rule is to implement another omnibus compliance framework: the HITRUST CSF. Originally developed for organizations in healthcare, HITRUST incorporates controls for HIPAA compliance along with several other legal and industry standards. HITRUST is among the most comprehensive and rigorous cybersecurity frameworks available. It’s not mandated by any state or federal laws at present. But an increasing number of payors and other stakeholders in healthcare are coming to expect it.
HITRUST Certification comprises implementing a selection of controls from the CSF in anticipation of a verified audit. Then, depending on your regulatory needs, your advisor will assess and report on your security assurance and provide documentation of PHI safeguards.
Optimize Your HIPAA Compliance Today
The Omnibus Final Rule has made HIPAA impossible to ignore for organizations within healthcare and without. Failure to protect PHI can result in fines and other indirect costs, including opportunity costs of lost business from partners who require compliance.
RSI Security has helped countless organizations achieve and maintain HIPAA compliance through HITRUST Certification and otherwise. We’ll work closely with your team to build discipline across your controls and workforce—minimizing risk and creating freedom.
To learn more about Omnibus Rule HIPAA compliance, contact RSI Security today!