HIPAA Omnibus Rule

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 42 minutes
Video Transcription
Hello again. Use library computers and coach and welcome toe Lesson 1.4 of implementing a HIPPA compliance program for leadership. There are all kinds of Busses in the world, like a school bus, shuttle bus, double decker bus, computer, bus, electrical bus and my favorite, the VW bus. But in this lecture will be learning all about the HIPPA omnibus and specifically
how this bus mode over all the previous rules in HIPPA
and gave our dated hip a vehicle a fresh new paint job.
So in today's lecture, we will review the final HIPPA ruling, the final provisions to the Hip of Privacy and Security Act that, at the point of releasing what is called the omnibus rule hip, was already 17 years old. So in our lesson today, we will learn about this new omnibus rule and how it's addition strengthens the privacy and security protections under the HIPAA standards
and how the omnibus rule changed. Enforcement
breach notification rules on the provisions under the Genetic Information Nondiscrimination Act, or what is known as Gina.
So after 17 years of hip, it's time for a reboot, a retool. The technology had changed and now everyone is talking about the human genome and being able to track and identify an individual all the way down to their DNA. And there's been a ton of technology investment in advancement. The high tech act by now had changed everything, and virtually all health care providers and covered entities had gone Elektronik.
They had digitized there ph I and converted over their physical records to new electronic health records systems.
A really big and momentous task. Some health care organizations would take a full decade to get to digital. When you are publicly traded entity with hundreds of thousands of employees and deliver tens of billions of dollars in patient care services annually, well, you have to do a little bit more transition and have to migrate a little slower than just deploying an app on your smart device. Donbas Rule
created additional specifications and criterion
and on business associates and their liability. The rule called out new guidelines on the sale of P. H. I and place new rules on protected health information disclosure around the patient when they died, the decedent and their surviving family members. By this point, there are all kinds of E. H. R s out there and electronic records with a new standard access method of pH I
so hip it needed new access rules for these electronic formats.
There were new breach notification rule updates and now, through genetic information, Nondiscrimination Active or Gina passed in 2009, where it was now illegal to discriminate employees or applicants because of genetic information. The omnibus rule would put genetic information under the protecting arm of HIPPA, adding our genetic information and its records.
Now, part of the rules protected health information. PH. I.
The new rule even address some of the concepts of the marketing and fundraising surrounding PH. I.
Data and businesses. Power and information is money. So Omnibus began to call some of this stuff out and called out the updated dues and do not
the omnibus rule change the rules and made a bunch of them. So let's break this down. The final rule would expand patient rights by allowing them to ask for a copy of their electronic medical records in Elektronik format. Under the final rule, when patients would pay out of pocket and full, they could instruct their providers to refrain from sharing information about treatment with their health plan if a Medicare beneficiary
request a restriction on the disclosure of Ph. I to Medicare for a covered service and pays out of pocket for that service.
The provider must also restrict the disclosure of Ph. I regarding the service to Medicare. The final rule sets new limits on how information can be used and disclosed for marketing and fundraising purposes, and it prohibits the sale of an individual's health information without their permission. Penalties for non compliance with the final rule are based
on the level of negligence, with a maximum penalty of $1.5 million
per violation.
Some of the additional changes the omnibus rule made the HIPPA, where the breach notification rule, where it was amended with a requirement to determine the breaches risk of compromise rather than harm compromise was considered a more objective tests and harm. Thus, breach notification is necessary in all situations except those in which the covered entity or business associate
demonstrates a low probability that the pH I has been compromised
to determine whether it's been compromised or not covered. Entity or business associate has to conduct a risk assessment that considers these following factors. The nature and extent of the pH I involved. So bottom line was enough information breached to recognize the individual unauthorized person who used the P. H. I or to whom the disclosure was made?
Was that another health care professional where the risk is low, that it's gonna be released out to the dark Web or to a bad threat agent? Or we know that's gonna be the outcome,
whether the Ph I was actually acquired reviewed and the extent to which the risk to the pH I has been mitigated what countermeasures to the covered entity perform to protect the data and minimize the risk to the individual. The final rule changed, made it really cut and dry before a limited data set that did not contain any birthdates or ZIP codes.
Well, it wasn't considered a breach.
Under the final rule, breaches of even limited data sets, regardless of their content, must be handled. Like all other breaches of pH. I
providers and covered entities still had safe harbor, though, in which an unauthorized disclosure on Lee was going to rise to the level of a breach, thereby triggering notification requirements of the high tech act. If the pH. I disclosed would be classified as unsecured unsecured. PH. I is pH I. That's not rendered unusable.
In other words, the data is out on the dark Web
because of the breach, but you can't read it because it's encrypted. If it's unreadable, covered entities aren't required to notify. But if the day that can be read red tagged your ed and you better duck for cover because my red team well, we're pretty awesome a dodgeball.
So, like a double decker omnibus, we're gonna roll through some or changes
so covered entities in their forms need to inform patients that they will be notified if they're pH. I is subject to a breach,
so you must also inform individuals that have covered entity may contact them to raise funds, and the individual has a right to opt out of receiving such communications. Business associate agreements and policies and procedures must address the prohibition on the sale of patients. PH I. Without permission, covered entities must modify and implement policies and procedures
that address the new limits on permissible uses of information for marketing and fundraising activities.
And this is a big one regarding genetic information as required by the Genetic Information Nondiscrimination Act of 2000 and eight. The omnibus rule incorporates genetic information definition of pH. I, thereby explicitly applying HIPPA privacy protections to an individual's genetic information.
So we haven't talked about it much, but the good news for you is it's homework in your cyber recourse supplementals and yeah, don't we love homework? The Health Information Technology for Economic and Clinical Health High Tech Act was drafted, implemented. It became law and enforceable on February 17th, 2000 and nine. And although high tech was founded on the principles
of rewards of going Elektronik with your patient information systems had real teeth in the law regarding pH. I
patient rights business Associates and actually created a new federal breach notification standard. The important aspect to now know for the requirements of high tech is that it really helped fill the gaps in HIPPA, which was signed into law 13 years earlier. So the requirements of high tech were incorporated into HIPPA in its final omnibus rule. That's why all the changes and amendments
have been more than a decade since Hip, a win in the law.
Advancements in healthcare technology were revolutionizing how we created used shared and stored protected health information. Thus changes to both HIPPA and new regulations and laws like high tech were needed now. Clarity had been given on breaches that included even minimal data sets and not just full patient records.
Is your name and your birthday sufficient to notify a breach occurred?
Why, yes, it is. So do your homework. Learn about high tech, really good stuff and a real game changer for HIPPA.
So I don't know about you. But one of the few things more creepy than test exams and quizzes are You guessed it frogs those things air creepy, slimy And unlike lizards, they talk back to you and basically have bad attitudes. Well, hang on a second.
I stand corrected. I just got a text on my phone from one of my students, and they say cats are actually creepier than frogs. But that would require a whole dedicated lecture on cats. And I haven't ran that by Siberian, their course content team for approval, but for now, and there's a lot of reasons why we gave you. But for now,
name three reasons why the omnibus rule was necessary for HIPPA and inducted into federal law.
Well, hip was getting old and needed new teeth, and it needed new rules because technology was changing, technology was innovating. And how we use and absorb and shared health information was changing as well. Because of this thing called electronic health records. And with this new technology
came new communication channels like ipads and tablets and smartphones. Well, with these new communication channels, well, that brought with it
new risks. And so thus we need a new rules. So to summarize, Thank you very much technology. We love you. Thank you, Hi tech. For all your help and support and most importantly, think all you snakes, lizards, birds and in the occasional hedgehog for eating those frogs. And did you know that the French eating estimated 80 million frogs a year?
That's 160 million frog legs a year.
I love the French, and that's why I'm moving to Paris.
So in this video, we learned about omnibus rule that was adopted into law in January 2013, and all the changes that brought to hip our favorite set of laws and guidelines for protecting the privacy and security of our patients protected health information. We learned about some of the reasons why changes to hip were necessary.
And we learned about the amazing new federal law, the high tech act of 2000 and nine, and how it brought real teeth to HIPPA
and help close the gaps and things like breach and breach notification. And we learned more about frogs and cats, two of our favorite life forms if we have documented behavioral or mental health problems.
So thanks for sitting in this lecture on the hip omnibus rule in a big shout out to kin. Underhill Cyber, a master instructor and one of the most infamous criminal masterminds in the cyber industry. No, seriously kids. A great guy, tremendous instructor. He's only real challenge. Well, he's a cat guy, so try not to hold that against him when you take one of his amazing courses on pin testing and ethical hacking
on behalf of all of us here at Cyberia. Thanks for learning with us today. Take care and we'll see you in our new lecture user responsibility and meaningful use.
So for now, on behalf of all of us here at Cyber Er, teaching assistants are instructors are course content creators. Well, take care
and happy journeys
Up Next