In January 2013, the Health Insurance Portability and Accountability Act (HIPAA) got an important update: the HIPAA Omnibus Rule. The U.S. Department of Health and Human Services (HHS) implemented this rule to update the privacy and security protections in HIPAA, which was passed in 1996, before the internet became an ubiquitous part of life.
The Omnibus Rule was necessary because while the 2009 Health Information for Economic and Clinical Health (HITECH) Act addressed privacy, the requirements for notifying patients of data breaches had to be updated. This rule also covers the liability of business associates, such as technology providers, and business associate agreements (BAAs).
Updates to BAAs
Today, healthcare providers rely on a wide network of third-party service providers, or business associates, to handle patient data, whether it’s the electronic health record (EHR) system they use or a video conferencing service. BAAs are agreements that protect the healthcare provider if a patient data breach is the fault of a service provider.
The Omnibus Rule clearly lays out what’s expected from a healthcare provider in terms of its business associates. Healthcare providers must create written policies and procedures to manage their business associates, sign agreements with them, and define the breach notification process.
Meanwhile, business associates have their own responsibilities under the Omnibus Rule. They must sign BAAs with their subcontractors, as well as have a set of written policies and procedures detailing how they’re complying with the entire HIPAA Security Rule and any required parts of the HIPAA Privacy Rule. They also must conduct a HIPAA risk assessment to identify any potential problems.
What to do if there’s a data breach
The Omnibus Rule clarifies what constitutes a data breach and what healthcare providers must do if a breach occurs. A data breach is when patient health information is disclosed or used without permission, and in the context of the Omnibus Rule, it refers to electronic data being compromised.
If there’s a data breach, the rule requires healthcare providers and/or their business associates to investigate the cause of the breach and how much data was affected. They also need to address who may have used the protected health information (PHI), whether the PHI was viewed, and how much the risk has been mitigated since the breach.
For example, a physician might misplace a tablet device that contains PHI. Before notifying any patients of a breach, the physician’s organization needs to figure out if any patient data was accessed, then document what they did to mitigate unauthorized access, like remotely wiping the device.
During this investigation, healthcare providers and/or business associates can also check to see if there is an exception to the Omnibus Rule’s definition of a data breach that applies to their situation. There are three exceptions:
1. If the person who accessed the data was working for the healthcare provider or business associate and accessed the data in good faith and as part of their job description
2. If the PHI was disclosed accidentally to another person employed by the healthcare provider or business associate, and that employee also was allowed to access PHI, like a nurse accidentally grabbing a chart for a patient who is not theirs
3. If the healthcare provider or business associate can in good faith say it’s unlikely the person who accidentally received PHI would remember that information — for example, if a receptionist handed a printout of the wrong lab results to a patient but quickly realized their error and took back the paper
Under the Omnibus Rule, data breach notification requirements are very clear. In the event of a breach, there are three different categories for notification: the individual whose PHI was compromised, the media, and the secretary of the U.S. Department of Health and Human Services (HHS). The bare minimum requirement is to notify the individual and the HHS secretary.
If the breach affects more than 500 people, a notice must also be sent to a media outlet that serves the area where the breach occurred, in addition to notifying all the individuals who have been affected and the secretary of HHS.
The Omnibus Rule gives providers and business associates a clear set of guidelines to follow regarding data breaches. These guidelines will help them secure patient information and conduct investigations if a breach should occur.