After the HIPAA Omnibus Rule went into force on September 23rd, 2013, the focus on security and compliance became that much more important for healthcare organizations around the country.
The U.S. Department of Health and Human Services Office for Civil Rights announced the final rule that asked for the implementation of a number of provisions of the HITECH Act, enacted as part of ARRA in 2009, to strengthen the privacy and security protections for health information established under HIPAA.
The press release said that the changes that were announced expanded on many of the requirements to business associates of entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. Also patients can request a copy of their electronic medical record in an electronic format and when you pay by cash you can ask your provider not to share information about your treatment with their health insurance payer.
In addition, the Omnibus rule makes it is easier for parents, guardians and others to give permission to share proof of their child’s immunization records with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule. Security Officers and legal departments within healthcare organizations have certainly been occupied with this and other compliance initiatives including proper discarding of paper documentation within an organization. Initiatives such as shredding of unused paper copies of manuals which do not need to be around an organization in this day and age and usage of electronic copies of documentation, would assist in streamlining organizational workflows and start to see the true benefits of electronic medical records.