Today September 23, 2013 marks the start of the Omnibus Rule enforcement date.
It is important for providers to start working on compliance with the new requirements as soon as possible. According to a statement from the Office for Civil Rights (OCR) of the Department of Health and Human Services, certain CLIA -exempt laboratories to revise their Notices of Privacy Practices until further notice. Here is the entire statement issued by OCR:
“The Office for Civil Rights (OCR) of the Department of Health and Human Services announces a delay in its enforcement of the requirement that certain HIPAA–covered laboratories revise their notices of privacy practices (NPPs) to comply with the modifications made to the HIPAA Rules published in the Federal Register on January 25, 2013 (78 FR 5566), commonly known as the “Omnibus Rule,” until further notice. This Enforcement Delay applies to HIPAA-covered laboratories that are subject to CLIA (i.e., CLIA-certified) or exempt from CLIA (i.e., CLIA-exempt) and that are not required to provide an individual with access to his or her laboratory test reports under § 164.524 of the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access at § 164.524(a)(1)(iii)(A) or (B). The Enforcement Delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.”
This is one reprieve for a small part of the Omnibus Rule compliance. One tip for those struggling to comply is to modify existing Business Associate Agreements (BAA). This does not apply to existing BAAs entered into agreement on or before January 25, 2013 and have been modified after March 26, 2013. For this group, the compliance date is extended until September 23, 2014.
RISC Management & Consulting , is an organization specializing in data privacy and information security regulations and frameworks, focused on healthcare and financial sectors. RISC assists its clients in understanding the requirements of federal and state regulations and industry frameworks as they apply to sensitive information. RISC Consultants are experts in legal requirements, industry standards, and frameworks including HIPAA – HITECH Act – ISO 27001 & 27002, PCI-DSS, GLBA, FFIEC, State Level information security laws. All of our services are focused on getting you compliant with Privacy & Security requirements, quickly, completely, and affordably.
Enforcement Highlights of the HIPAA Privacy Rule
HHS / OCR has investigated and resolved over 21,271 cases by requiring changes in privacy practices and other corrective actions by the covered entities as of August 31, 2013.
From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Uses or disclosures of more than the minimum necessary protected health information; and
- Lack of administrative safeguards of electronic protected health information.
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
- Private Practices;
- General Hospitals;
- Outpatient Facilities;
- Health Plans (group health plans and health insurance issuers); and,
With regard to the subset of complaints specifically pertaining to the Security Rule, since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 738 complaints alleging a violation of the Security Rule. During this period, we closed 543 complaints after investigation and appropriate corrective action. As of August 31, 2013, OCR had 260 open complaints and compliance reviews.
For more information please contact RISC Management and Consulting, www.RISCsecurity.com