With the growth of EMR and health IT overall, the long awaited HIPAA Omnibus Rule was finalized by the Office for Civil Rights (OCR) and presented before the Office of Management and Budget (OMB) for review earlier this year. Once the OMB approves the final rule, it will subsequently be published in the Federal Register.
The deputy director for health information privacy at OCR, Susan McAndrew, said that the rule effectively merged four separate rulemakings, which are as follows:
- Amendments to HIPAA Privacy and Security rules requirements as per the terms enshrined under the HITECH Act;
- Further requirements for data breach notifications and penalty enforcements;
- Concluding regulations in regards to the HITECH Act’s breach notification rule;
- Modifications within HIPAA to incorporate the Information Nondiscrimination Act
In light of this rule, the health care industry needs to educate patients with regards to their privacy and disclosure rights. Patients should know how their information is used and disclosed, and how to submit complaints pertaining privacy violations. Similarly, health care providers should also strive to better understand HIPAA requirements so that they are aware of their obligations and responsibilities towards their patients as per law.
In addition, the Omnibus Rule would include provisions that would govern the use of patient information in marketing; eliminate or modify the “harm threshold” provision that presently allows healthcare providers to refrain from reporting data breaches that are deemed not harmful; ensure that business associates and subcontractors are liable for unwarranted information disclosures and require some form of data encryption for electronic systems that include patient data.
However last week, Farzad Mostashari, national coordinator for health information technology, announced that the Omnibus Rule should be issued by the end of the summer. The extension of the review period for the Omnibus Rule was later confirmed by the OMB.
Mostashari also added that the rule would also extend HIPAA privacy and security requirements to business associates and sub-contractors, and the healthcare industry is waiting anxiously for the final rule to provide more certainty regarding the future of the remaining HIPAA provisions on privacy and security enforcement.