HIPAA-HITECH Omnibus Final Rule

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello, everyone. It's Chris.
00:00
I'm Cybrary's instructor for
00:00
US information privacy course.
00:00
In lesson 6.4, we're going to look at
00:00
the Omnibus Final Rule for HIPAA.
00:00
It was in January of 2013 that
00:00
the Office of Civil Rights
00:00
at the Department of Health
00:00
>> and Human Services published
00:00
>> the omnibus final regulation that made
00:00
permanent some of the amendments that
00:00
we saw in HITECH and GINA
00:00
and also made to the HIPAA privacy and security rules.
00:00
As privacy professionals, we should be
00:00
familiar with the Omnibus Final Rule and how
00:00
it amends HIPAA because of its subsequent amendments.
00:00
We have several learning objectives.
00:00
We're going to talk about some of
00:00
the final modifications to
00:00
HIPAA's privacy security enforcement rules
00:00
as mandated by HITECH.
00:00
We're going to look at some of
00:00
the changes that were adopted to
00:00
the enforcement rule to address
00:00
the increased and tiered civil
00:00
and criminal colonies under HITECH.
00:00
We're going to look at the final rule
00:00
on breach notification that we talked
00:00
about earlier as it deals with
00:00
unsecured or unencrypted PHI,
00:00
and how these amendments get away
00:00
with the previous breach notification rules
00:00
harm threshold,
00:00
and replace it with
00:00
a more objective standard for assessing a risk.
00:00
Then finally, we're going to look at how GINA
00:00
itself amends HIPAA by
00:00
adding genetic information to
00:00
the list of 18 identifiers for PHI,
00:00
how it prohibits most health plans
00:00
and employers from using or
00:00
disclosing genetic information for
00:00
underwriting purposes, and also,
00:00
how it provides privacy protections to
00:00
individuals that might be predisposed to
00:00
a genetic disorder or illness without having
00:00
manifested any signs or symptoms of
00:00
it as it applies to health insurance and employment.
00:00
We'll start with the final omnibus rule
00:00
as we take a closer look at it.
00:00
The final omnibus rule rarely makes
00:00
permanent the requirements that business associates
00:00
and their subcontractors are now accountable for
00:00
how they process PHI and ePHI.
00:00
It also states that any
00:00
>> business associate it contracts,
00:00
>> the services of assigned subcontractor
00:00
to process PHI or ePHI on their behalf,
00:00
that they have to have now
00:00
a business associate contract or
00:00
business associate agreement in place.
00:00
It revises certain segments of the HIPAA privacy
00:00
and security rule as they
00:00
apply also to business associates.
00:00
It requires these business associates
00:00
to account for their use and
00:00
disclosure of PHI in violation of a BA agreement.
00:00
It penalizes them for failing to
00:00
disclose PHI to the secretary of HHS
00:00
when investigating the business associate's compliance
00:00
with the privacy rule.
00:00
It requires the business associates
00:00
to report any breaches to the covered entity.
00:00
It penalizes them for failing to disclose PHI to
00:00
comply with an individual's requests
00:00
for access to their PHI.
00:00
Business associate is now held accountable
00:00
for failing to provide an accounting
00:00
of disclosures of a patient's PHI
00:00
or ePHI outside of treatment payment and operations.
00:00
Then it also looks at
00:00
penalizing business associates from felony to make
00:00
a reasonable effort to limit the use and disclosure of
00:00
PHI to the minimum necessary standard.
00:00
It also looks at the security rule.
00:00
As a security rule previously
00:00
only applied to covered entities, now,
00:00
it applies as covered entities,
00:00
business associates, and to subcontractors.
00:00
It does away with the requirement
00:00
for these covered entities and now,
00:00
business associates to conduct
00:00
a harms analysis in response to
00:00
>> a breach of PHI or ePHI.
00:00
>> Now, they then just
00:00
have to do an assessment to determine if there's
00:00
a low probability of
00:00
risks and disclosure of this information by
00:00
using those four factors
00:00
that I mentioned earlier in the course.
00:00
We talked about the breach notification rule.
00:00
It makes those
00:00
breach notification requirements permanent.
00:00
Now, the omnibus rule revises
00:00
previous interim rules to
00:00
include a presumption of a breach.
00:00
Before, a breach was
00:00
defined as the acquisition, access, use,
00:00
or disclosure of PHI in a matter not permitted by
00:00
the privacy rule and
00:00
compromise the security and privacy of their PHI.
00:00
Now, the omnibus rule have revised
00:00
that definition by adding an express presumption that
00:00
an impermissible use or disclosure of
00:00
protected health information is a breach unless
00:00
a covered entity or
00:00
the business associate can demonstrate that
00:00
there's a low probability that
00:00
the PHI has been compromised.
00:00
Now, we also look at the changes that GINA
00:00
made to HIPAA and the sense now
00:00
that the secretary of
00:00
Health and Human Services now considers
00:00
genetic information as one of the
00:00
>> 18 identifiers for PHI.
00:00
>> It also provides those added protections
00:00
for individuals that might be predisposed to
00:00
a genetic illness or
00:00
disorder with protection from discrimination from
00:00
health insurance providers and employers if they have
00:00
not manifested signs and
00:00
symptoms of those genetic disorders.
00:00
It also looks at marketing and fundraising.
00:00
Beforehand,
00:00
the privacy rule generally
00:00
required covered entities to obtain
00:00
authorization from an individual patient before
00:00
using that patient's PHI for marketing purposes.
00:00
Now, the omnibus rule
00:00
changes the definition of marketing by requiring
00:00
an individual's authorization for all treatment in
00:00
health care operations communications to where
00:00
that covered entity is receiving
00:00
financial compensation for making
00:00
the communications to a third party
00:00
that is promoting that product or service.
00:00
From a fundraising standpoint,
00:00
the previous HIPAA privacy rule before amended
00:00
require covered entities to make
00:00
reasonable efforts to ensure that patients and
00:00
individuals who opted
00:00
out receiving further communications.
00:00
Now, the omnibus rule takes
00:00
a stronger stance by making any further fund
00:00
raise communications with an individual that has
00:00
opted out in violation of the HIPAA privacy rule.
00:00
The omnibus final rule also
00:00
strengthens the requirements for
00:00
notices of privacy practices.
00:00
The omnibus rule now requires
00:00
that these individuals provide a statement that
00:00
an individual's authorization require for most uses
00:00
and disclosures of psychotherapy notes.
00:00
It also requires that if a covered entity
00:00
intends to contact an information
00:00
for fundraising purposes,
00:00
that a statement of such intent
00:00
and the individual's right to
00:00
opt-out of receiving fundraising communications.
00:00
If you are a health care provider
00:00
that is a covered entity,
00:00
you also have to provide a statement
00:00
informing individuals of their right to
00:00
request a restriction of the disclosure of their PHI
00:00
to a health plan who are the parties when the PHI
00:00
relates solely to health care items or
00:00
services for which the individual or another person on
00:00
the behalf of the patient other than
00:00
our health plan has paid the covered entity.
00:00
Question 1 asks,
00:00
the Omnibus Final Rule requires
00:00
which of the following actions by business associates?
00:00
The answer is A.
00:00
Question 2 asks,
00:00
the Omnibus Final Rule makes what requirements
00:00
permanent for the use and
00:00
disclosure of PHI for marketing,
00:00
fundraising, and sale purposes?
00:00
The appropriate answers are A and B.
00:00
Question 3 asks, which of
00:00
the following HIPAA slash HITECH
00:00
slash GINA amendments did
00:00
the Omnibus Final Rule make permanent?
00:00
The appropriate answers are A, B,
00:00
and C. In summary,
00:00
the Omnibus Final Rule makes permanent the amendments
00:00
included an interim final rules
00:00
as it an applied to the HIPAA Privacy Rule,
00:00
the HIPAA Security Rule,
00:00
and those amendments that were made
00:00
by GINA and by HITECH.
00:00
Again, it specifically looked
00:00
at the Breach Notification Rule,
00:00
did away with this harms
00:00
threshold requirement, and now,
00:00
provide a more objective standard as we see concerning
00:00
the four factors when
00:00
evaluating or conducting a risk assessment.
00:00
Places greater controls over
00:00
how covered entities can
00:00
sell protected health information.
Up Next