What is the HIPAA Omnibus Rule?
by Kapua Iao
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients.
Since its enactment, the U.S. Department of Health and Human Services (HHS) has established various additions and amendments that ensure even more protections and responsibilities. In this post, we’ll take a closer look at the Omnibus Rule (2013).
So what does the Omnibus Rule add to HIPAA and why is such the rule necessary? And how can Paubox Email Suite and HIPAA compliant email aid a healthcare provider’s compliance to Omnibus?
A HIPAA summary
HHS created HIPAA to improve healthcare standards and combat PHI fraud and abuse.
SEE ALSO: What is HIPAA? Or is it HIPPA?
The Office for Civil Rights (OCR) regulates and enforces the act, which consists of five sections (or titles). Most referenced is Title II as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form.
Included are several later rules:
- Privacy Rule (2003): covers the protection of PHI as well as compliance standards
- Security Rule (2005): sets required security standards to protect ePHI
- Enforcement Rule (2006): sets the rules for enforcing HIPAA and penalizing uncompliant organizations
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): sets the procedures for reporting breaches
And of course, the Omnibus Rule. Sometimes, it is known as the Final Omnibus or even Omnibus Final Rule.
The Omnibus Rule
In general, the Omnibus Rule updates the earlier HIPAA rules and HITECH Act. So rather than being new, Omnibus strengthens and impacts what is already in place.
It aims to further safeguard patient privacy and PHI in a digital world. This of course includes electronic health records (EHR).
The idea is to enhance confidentiality and security while also increasing accountability to healthcare providers.
Under the Breach Notification Rule, organizations must report breaches that affect 500 individuals or more. The Omnibus Rule modifies this.
RELATED: What to do after you violate HIPAA
Organizations must presume that all unauthorized PHI use or disclosure is a breach and must be reported as such. And after reporting, the organization must use a risk assessment to prove that the breach did not compromise PHI.
This change has led to an increase in the number of breaches reported.
Individual rights and protections
Omnibus also improved patient privacy protections, giving individuals more control of their PHI. Patients must provide (in most cases) explicit consent for healthcare organizations to disclose PHI for:
Business associate liability
While the HITECH Act made business associates directly liable for their own compliance, Omnibus solidified enforcement. And one of the ways it did this was by broadening the definition to include any and all entities that work with PHI.
In other words, business associates are subject to most provisions of the Security and Privacy Rules. OCR can now audit and fine business associates directly for noncompliance.
It is necessary to note that OCR may still penalize covered entities for business associate breaches. What this should lead to, then, is a better vetting system for third-party vendors.
Here are some additional pertinent modifications to HIPAA. The Omnibus Rule:
- Prohibits most health plans from using or disclosing genetic information (i.e., GINA Act) for underwriting purposes.
- Allows covered entities to disclose immunization/vaccination records if required by state law and consent is received.
- Incorporates the increased and tiered penalty structure provided by the HITECH Act.
Ultimately, the modifications made by Omnibus should encourage covered entities to update privacy notices, internal policies, and access authorization.
Furthermore, it should make organizations ensure that employee training is up to date.
Omnibus and email communication
And one final aspect of HIPAA that Omnibus modifies is email communication. Patients can email their own PHI to a healthcare provider.
However, in order for healthcare organizations to maintain HIPAA compliance, they must ensure that any emails containing PHI are encrypted. They must leverage strong outbound email security in order to send HIPAA compliant email.
RELATED: How to send HIPAA compliant email
This is exactly what Paubox Email Suite does by encrypting all outgoing messages by default.
In a nutshell, our solution is secure as well as simple to use as it easily integrates with other platforms like Google Workspace and Microsoft 365. Paubox Email Suite makes it certain that you can electronically communicate with your patients.
And it also makes it certain that you can remain compliant with HIPAA and its amendments, including the Omnibus Rule.