First Posted at Christina’s Considerations on 3/11/2013
The 600ish pages of the HIPAA Final Omnibus Rule (published in January) affects nearly every aspect of patient privacy and data security and encompasses the:
- HIPAA Privacy, Security and Enforcement Rules
- Breach Notification Rule
- HITECH Act
- Genetic Information Discrimination Act
idExperts boiled down the new rule in a new whitepaper and includes their recommendations for managing the risks. The most significant clarification is that patients now have the right to get electronic copies of all of their electronic medical records upon request. In addition, new categories of PHI may be used or disclosed for fundraising for better targeted efforts.
Covered entities will be required to change their notice of privacy practices to reflect these new rulings. They should also:
- Conduct and document annual privacy and security risk assessments (the HVA of Emergency Management)
- Identify, manage and document compliance of business associates and their downstream contractors
- Define and document your method for the security incident risk assessments; determining whether an incident is a breach or not.
- Document your policies and processes for complying with the limiting of access to patient information when a patient can restrict access.
- Encrypt PHI according to NIST specifications to take advantage of the safe-harbor provision regarding notifications in the event of a breach.
Keep in mind, the compliance deadline is September 23rd and it will be here before you know it.