By Rena Malai, News staff
The U.S. Department of Health and Human Services has issued a final set of regulations that address several key areas under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Under the Health Information Technology for Economic and Clinical Health Act, which was passed in 2009, some existing HIPAA requirements were amended as the HITECH Act was implemented in phases. The Omnibus Rule, which HHS issued in January, finalizes the HIPAA regulations affected by HITECH and adds new provisions, such as protections for genetic information.
NASW Associate Counsel Sherri Morgan said the HIPAA Omnibus Rule addresses areas such as the privacy and security rules, enforcement provisions, and general changes that allow for more administrative flexibility.
Social workers who are subject to HIPAA will need to amend notices of privacy, revise HIPAA forms and policies, and update business associate agreements under the HIPAA Omnibus Rule, Morgan said. NASW’s online sample HIPAA forms will be updated consistent with the new requirements and social work ethical standards.
“The changes made under the Omnibus Rule add valuable protections for patient privacy,” Morgan said. “A key change is that contractors for health providers and health plans will be directly subject to HIPAA enforcement actions, as well as any subcontractors who have access to patient identifying health information.”
Other changes include patient authorization for the use of patient information in marketing, privacy protections for self-pay clients, a ban on use of genetic information for health-plan underwriting, changes to how risk of harm from privacy breaches is assessed, and an expiration of HIPAA privacy protections 50 years after a patient’s death.
“There are also specific penalties for those who ‘willfully neglect’ to comply with the HIPAA requirements,” Morgan said, “so social workers are strongly encouraged to review their compliance plan and keep a file to document the specific actions they take to meet the new standards.”
The 2013 Omnibus HIPAA Rule is effective as of March 26, 2013, with a compliance date of Sept. 23, 2013.
An overview of the 2013 HIPAA Omnibus Rule is available at socialworkers.org/ldf/legal_issue/default.asp
For more information and resources about HIPAA, visit www.socialworkers.org/hipaa/
From the April 2013 NASW News.
The final Omnibus Ruling is an absolute game changer when it comes to HIPAA compliance and it’s why Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.