Are you ready for the HIPAA Omnibus Rule?
The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services, on January 25, 2013, issued the much awaited final privacy and security regulations (“Omnibus Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) to implement the changes made in 2009 by the Health Information for Economic and Clinical Health Act (“HITECH Act”).
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
The Final Omnibus Rule magnifies HIPAA and HITECH Act to an entire new level. It became effective on March 26th 2013 and with its compliance date only few days away, it has stirred a frenzy for Covered Entities (§ 160.103) and Business Associates (45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)) alike.
With regards to compliance and enforcement implications, the Final Rule has created major modifications which will affect the Business Associates and Covered Entities involved in electronic transactions, use and disclosure of Protected Health Information (PHI) and conduct of clinical research.
The Final Rule has a great deal of impact on both Security and Privacy Rule. It has heightened the requirements which pertain in the Security Rule, making Covered Entities as well as Business Associates altering their technical, physical and administrative safeguard policies rigorously. Whereas the Privacy Rule has set limits and conditions on the uses and disclosures of PHI that may be made of such information which cannot be disclosed without patient’s authorization.
It also creates an increased and tiered civil money penalty structure for security breaches under the HITECH Act. The Final Rule modifies and clarifies the definition of what constitutes a reportable privacy breach and the factors covered entities and business associates must consider when determining whether a reportable breach has occurred.
BioLabs Pegasus Park Cultivates Life Science Ecosystem
Gabby Everett, the site director for BioLabs Pegasus Park, offered a tour of the space and shared some examples of why early-stage life science companies should choose North Texas.
Changes to the HIPAA regulations brought about by the Omnibus Rule require changes that must be incorporated into the Notice of Privacy Practices (NPP) as well. The Final Rule requires that Notice of Privacy Practices, which is a statement indicating authorization required for uses and disclosures of PHI, should be physically posted to every patients address. If the Covered Entity records or maintains psychotherapy notes, it must also include a statement indicating that authorization is required for most uses and disclosures of those notes.
The Final Rule has greatly modified NPP. It now states that a statement that other uses and disclosures that are not described in the NPP will be made only with authorization from the individual to whom the PHI relates. Also a statement regarding fundraising communications and an individual’s right to opt out of receiving such communications, if a Covered Entity intends to contact an individual to raise funds for the Covered Entity.
This article covers only the broad categories of changes to the HIPAA rules. Covered Entities and Business Associates are encouraged to review existing HIPAA compliance policies and procedures to ensure they are up-to-date. If a suspected privacy breach occurs, work with knowledgeable legal counsel to assess the breach and any notification requirements because both the assessment and notice requirements are complex and the penalties for noncompliance can be significant.
To learn more about the Omnibus Rule, please join us in our HIPAA Omnibus Compliance Webinar – http://www.curemd.com/HIPAA/index.asp
