The final regulations from the Department of Health and Human Services Office for the Office of Civil Rights (OCR) contain significant changes to the Health Insurance Portability and Accountability Act (HIPAA) involving privacy, security, enforcement, and breach notification rules.
The new regulations, called the Omnibus Rule, significantly affect covered entities (your practice), business associates, and downstream entities of business associates.
The omnibus rule has streamlined authorization requirements for the use of individuals' protected health information (PHI) for research purposes. It also set new limits on permissible uses of information for marketing and fund raising purposes and also sets new prohibitions on the sale of individuals' Protected Health Information (PHI) without their permission. Penalties have been increased for noncompliance.
The final regulations went into effect on March 26, 2013 and your practice has until September 23rd to comply.
No Mercy for Business Associates
A business associate is a person or entity that performs a function or activity on behalf of your practice involving the use and/or disclosure of PHI, but is NOT a part of your workforce. The following are examples of business associates:
Billing Service/Agency
Collection Agency
Accountant/Attorney/Other Consultant Who Needs Access To PHI
Answering Service
Lockbox Service
Transcription Service
Practice Management Software Vendor
Electronic Medical Records Software Vendor
Hardware Maintenance Service
Off-Site Record Storage
Other Independent Contractors Who Provide Business/Administrative Services On-Site
Under the omnibus rule, ss opposed to previous HIPAA rules, your business associates now have direct liability under HIPAA and must comply with the security rule and certain provisions of the privacy rule. Business associate subcontractors (vendors of business associates) have identical compliance obligations, no matter how far removed or how "downstream" their services are from a covered entity.
There is a business associate exception for "conduits" of PHI. The exception is limited to organizations that merely transmit PHI. An example is the United States Postal Service which is merely a conduit through which PHI flows. Organizations that store PHI, such as cloud vendors, are considered business associates even if they do not access PHI.
You must update your existing business associate agreements for compliance with the revisions in the omnibus rule. Your practice can continue to operate under your existing business associate agreements until September 23, 2014 (one year after the date required for compliance with the omnibus rule).
Dramatic Changes to Marketing and Fund Raising
The omnibus rule now requires that prior to sending any marketing materials to an individual relating to a product or service paid for by a third party, your practice must obtain the individual's authorization to receive the communication.
Marketing communications are permitted without an authorization for "health care operations" communications, face-to-face communications and gifts of nominal value. For example, subsidized face-to-face communications and subsidized communications regarding a drug or biologic currently being prescribed to an individual and refill reminders are permissible without authorization.
The omnibus rule was clear that within the scope of this exception are communications about generic equivalents and adherence types of communications. Third-party payments for purposes other than communications to a patient, such as third-party funded disease management programs, do not require authorization, provided that the communication encourages participation in the program and not the use of the sponsor's particular product or service.
The omnibus rule contains provisions that will permit broader fund raising communications. The original HIPAA privacy rule permitted only the use of demographic information and dates of care for fund raising purposes. The omnibus rule permits the use of demographic information, dates of service, department of service, treating physician, outcome information and health insurance status for fund raising purposes by fund raising entities and their business associates. There are still notice and opt-out requirements for fund raising communications, which must be included in the Notice of Privacy Practices provided to an individual. Whether the opt-out provision is campaign-specific or allows for the individual to opt out of all fund raising communications is at your own discretion.
[pb]Streamlined Authorizations for Research Purposes
Previously, a clinical trial participant was only permitted to authorize the use of PHI for one clinical trial per authorization. Authorizations for future, unspecified research were prohibited. Consistent with Federal Human Subject Protection Rules, the final rule permits compound authorizations, or authorizations for more than one clinical trial, and authorizations for future, unspecified research. This change permits a single document to include consent and authorization for a clinical trial and a future study, as long as the authorization contains a general description of the types of research that may be conducted. These changes will facilitate tissue and data banking and outcomes research, and will simplify the administration of clinical trials.
Breach Analysis Changes
The omnibus rule moves away from the "harm standard" provided in the original rules. In the original rules, the distinction of "harm" was left up to the entity responsible for a breach of PHI to determine that the breach caused harm. This changed with the omnibus rule and now a covered entity or business associate must overcome the presumption that the breach was harmful and must be reported by performing a four-factor risk assessment to determine whether or not PHI has been compromised. The new standard has the effect of eliminating a covered entity's discretion regarding whether or not a breach must be disclosed to affected individuals, the government and potentially the media.
The Four-Factor Risk Analysis for Breach of PHI
The nature and extent of the PHI involved in the incident (e.g. Whether the information is sensitive information like social security numbers or infectious disease test results).
The recipient of the PHI (e.g. Whether another physician received the PHI).
Whether the PHI was actually acquired or viewed (e.g. Whether the transmitted PHI was viewed if it was received).
The extent to which the risk has been mitigated following unauthorized disclosure (e.g.: Whether it was immediately sequestered and destroyed).
The omnibus rule will require you to provide additional training to your practice team members about the new requirements. You should provide an awareness communication to your practice team members about the HIPAA changes and plan a training session with all personnel sometime in the near future. As a covered entity, you have always been responsible for monitoring your personnel, but you are now responsible for monitoring compliance by your business associates.
Notice of Privacy Practices Must Now Include
You must also update your Notice of Privacy Practices for compliance with the revisions in the omnibus rule. Your practice must ensure that your Notice of Privacy Practices complies with the following new requirements by September 23rd:
The new prohibition against health plans using or disclosing genetic information for underwriting purposes.
The prohibition on the sale of PHI without the express written authorization of the individual and other uses and disclosures that expressly require the individual's authorization.
The duty of a covered entity to notify affected individuals of a breach.
The individual's right to opt out of receiving fund raising communications for entities that have stated their intent to fund raise in their notice of privacy practices
The individual's right to restrict disclosures of PHI to a health plan where the individual paid out-of-pocket in full.
Don't Forget State Requirements
Beyond HIPAA there exists another universe of breach notification requirements in the 46 states that have data breach notification laws.
Risk assessments and gap analyses must therefore include not only HIPAA requirements, but also the requirements of an organization's respective state laws. A state's breach notification assessment may differ from that required under HIPAA and breach notification required under HIPAA may not trump state laws.
In conclusion, The omnibus rule contains many changes that will have a significant impact on HIPAA compliance and liability, particularly for your business associates.
It is crucial to conduct a thorough analysis of the new requirements and to tailor your privacy and security policies and procedures accordingly.
While there may be no “magic bullet” when it comes to health, this should not dissuade patients or practitioners from seeking out ingredients that offer multiple health benefits. When it comes to dietary supplements, there are thousands upon thousands of choices. So, why not choose one that can address pain and assist with mental health? A supplement that can address inflammation, while also preventing certain types of cancer.
Dr. Anthony Delitto, dean of the University of Pittsburgh School of Health and Rehabilitation Sciences, has announced that the SHRS will begin offering a Doctor of Chiropractic program in fall 2025, with applications accepted this fall. The program is the first at a research-intensive public university in the U.S. and the only chiropractic program headed by a faculty member with NIH research funding, according to the press release.
While canes, braces and posts represent extrinsic methods for lessening adductor moment arms, an intrinsic method for lessening the development of medial knee osteoarthritis occurs when the hip abductor musculature and the iliotibial band are strong enough to create a compressive force capable of stabilizing the lateral knee.
