With the perverse adoption of innovative technologies such as cloud computing in the healthcare industry, there was a need for some strict guidelines to monitor and govern organizations that have access to Protected Health Information (ePHI). The HIPAA, HITECH and the Omnibus rules are three words that form the baseline for bringing sanity in the healthcare industry and protecting electronic health information. While it is almost impossible to grasp everything that is captured by these rules and regulation, it is imperative for your company to have a solid understanding of what they entail, and certainly how the three relate to each other.
At sepStream(tm), we follow and adhere to the HIPAA, HITECH and the Omnibus rules, and continue to monitor and update them accordingly. With the help of our able and skilled compliance officers and legal team, we keep our state-of-the-art systems up-to-date with security measures to ensure that we meet or even exceed the industry standards. However, before we progress further, let’s check what HIPAA, HITECH and Omnibus rule entails.
What is HIPAA?
Enacted on August 21, 1996, HIPAA covers diverse topics ranging from data security, insurance coverage of unemployed people, the efficiency of healthcare administration and the improvement of healthcare outcomes. In our case, the HIPAA law provides privacy standards to safeguard patients’ medical records and any information they provide to doctors, hospitals, medical entities or other health care providers. It ensures that all players that have access to healthcare information including third-party vendors, covered entities, business associates and subcontractors have the responsibility to maintain the HIPAA regulations. It also defines what type of data is classified as Protected Health Information (PHI).
While HIPAA boasts a hierarchy of regulations that are intentionally vague and somehow confusing, organizations that have access to patients’ information are required to fulfill all these requirements. Compliance involves adhering to various stipulations in the HIPAA law, from Health Insurance Portability and Accountability Act of 1996 and other subsequent amendments and legislation such as the HITECH act.
Which are some of the HIPAA Requirements?
HIPAA Security Rule
This entails a broad range of safeguards that need to be put in place to secure and safeguard ePHI when being transmitted or stored. The rule covers any system or individual that has access to private patient’s data. This rule features three categories:
- Physical Safeguards
- Technical safeguards
- Administrative safeguards
HIPAA Privacy Rule
The HIPAA Privacy Rule monitors and governs the use and disclosure of ePHI. It demands that top-of-the-class safeguards be implemented to secure the privacy of PHI, as well as sets various precedents and limits that restrict the instances of disclosure and use of information without patient’s authorization. It also reiterates that patients have the right to obtain copies of their health records whenever they feel like, as well as ask for corrections that they deem necessary.
The rule demands that covered entities respond to patients’ requests within 30 days, and provide them with explanations regarding circumstances that may force the sharing or use of private information.
HIPAA Breach Notification Rule
This rule demands that covered entities notify patients in case there is a breach of their ePHI. They are also required to inform the Department of Health and Human Services, as well as the media if the data breach affected more than 500 patients.
HIPAA Enforcement Rule
It stipulates and highlights the kind of investigations to be done when there is a breach of ePHI, the penalties to be imposed for those responsible for the breach, and the case hearings procedures.
HIPAA Omnibus Rule
The Omnibus Rule was engrained into the HIPAA and HITECH in 2013 to address some issues that were not covered in the previous updates. The rule improved patients’ privacy protection, amended definitions, and expanded the HIPAA to cover business associates and their subcontractors. The rule introduced and changed some things including:
- Amending the HIPAA privacy and security provisions
- Introduced changes to the HIPAA AND HITECH laws regarding breach notification for unsecured protected health information.
- Preventing the use of patient’s data for marketing purposes.
- Change of the HIPAA to incorporate the provisions in the GINA which prohibits the disclosure of genetic information for underwriting purposes.
- Accepting the out of pocket payments for health services and instructing vendors to desist from sharing information with their health plan
- Disclosure of data breaches that are considered non-injurious.
Patients are also waiting for a ruling from the HHS to know if they will be compensated when their information is obtained or shared without their consent.
What is HITECH?
HITECH is a provision in the American Recovery and Reinvestment Act of 2009 that was enacted to encourage healthcare providers and physicians to adopt and use Electronic Health Records (EHR). HITECH provides incentives for healthcare entities and practitioners that utilize digital medical records to enhance and improve the quality of healthcare. Besides, the rule also institutes some penalties for organizations and practitioners that fail to use Electronic Health Records (EHR) sufficiently.
How HITECH Reinforced HIPAA provisions
It extended the HIPAA security and privacy rules to cover business associates and their subcontractors. Meaning that just like the covered entities, the two must be compliant with the HIPAA requirements. It also imposed stiffer breach penalties, even to those who did not know that the breach occurred.
Although the HIPAA, HITECH and Omnibus rule can be intimidating, it is your responsibility to ensure that you adopt rigid and robust measures that will help you comply with the set regulations. While this may be a daunting task to accomplish alone, you can ask for help from reliable entities such as sepStream(tm). They will help you understand how the regulations have changed over time, and help you avoid hefty fines for non-compliance or data breaches.