The HIPAA Omnibus rule goes into effect today, March 26. While organizations have until Sept. 23 to comply with the rules' many provisions, including modifications to the HIPAA security and privacy rules, recent federal breach investigations and audits have shown that many organizations are having trouble complying with basic HIPAA requirements that have been in place for years much less the additional omnibus requirements.
Longstanding trouble spots in HIPAA compliance include:
- conducting a thorough and timely risk assessment
- documenting those assessments as well as security policies and procedures; and
- training staff on compliance.
Because HIPAA Omnibus requires business associates and their subcontractors to comply with the HIPAA Security Rule and many provisions of the HIPAA Privacy Rule, covered entities now face the extra task of making sure their vendor partners are compliant.
In addition to changes related to business associates, other major provisions of the HIPAA Omnibus Rule include:
- New guidance for how to assess whether to report a breach based on the probability of information being compromised
- A prohibition against covered entities selling patient information, such as for marketing, without patient authorization, and the need to modify notices of privacy practices to reflect that;
- A requirement to provide patients with electronic copies of their records upon request;
- A requirement that covered entities not disclose to health insurers information about treatment or services if the patient pays out of pocket for the care.