HIPAA, HITECH, and the OMNIBUS Rule: What Are They?
March 1, 2019
“HIPAA.” “HITECH.” “Omnibus Rule.” Are these words as commonplace in your organization as “insurance” or “deductible?” Maybe they should be.
These three government laws are a force to be reckoned with when it comes to protecting electronic health information. They provide a baseline for security rules in your organization. You don’t need to know everything about these regulations. However, you should have a solid understanding of what they cover. Certainly, the relationship between HIPAA, HITECH and the Omnibus Rule is a vital part of your HIPAA compliance plan.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a 1996 US law that provides privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers1.
Covered Entities, Business Associates, and Business Associate Subcontractors are all responsible for maintaining HIPAA regulations. HIPAA defines Protected Health Information (PHI).
What is HITECH?
HITECH (Health Information Technology for Economic and Clinical Health Act) was created to encourage organizations to “promote the adoption and meaningful use” of Electronic Health Records (EHR).
HITECH includes incentives for healthcare providers who use digital medical records to improve the quality of healthcare.
The law also imposes penalties for failing to make sufficient use of EHR. Therefore, the ultimate goal of HITECH is to promote the use of secure, interoperable EHR throughout the U.S.2
How are HIPAA and HITECH Related?
In 2009, HITECH was created as part of the ARRA (American Recovery and Reinvestment Act) to promote the adoption of health information technology, namely EHR.
HITECH gives providers incentives for making medical records digital, as well as add more technical requirements to hospitals and doctors who are using EHR.
Likewise, HITECH enhances HIPAA by improving the provisions that were already in place.
How HITECH Strengthened HIPAA Provisions
HITECH & Business Associates
The introduction of HITECH extended the privacy and security rules of HIPAA to Business Associates and Business Associate Subcontractors.
Now, these two categories of support vendors must implement the same compliance documents and training requirements as Covered Entities.
HITECH & Breaches
HITECH imposed new requirements regarding breaches. Much stiffer breach penalties also exist thanks to HITECH.
Violators are subject to fines of up to $1.5 million/violation. They’re also subject to penalties (jail time) even if they didn’t know a violation occurred.
What is the Omnibus Rule?
HHS updated HIPAA and HITECH in 2013 when they finalized the Omnibus Rule.
Consequently, Business Associates are now directly liable for any non-compliance and any fines associated with the non-compliance.
The update improved patient privacy protections and gave individuals new rights to their health information.
The Omnibus Rule finalized:
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules
- The HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
- Changes on Breach Notification for unsecured PHI under the HITECH Act from providing evidence to prove there was a breach, to presuming a breach occurred and requiring proof how data was not compromised
- Modifications to the HIPAA Privacy Rule addressing the GINA (Genetic Information Nondiscrimination Act) to prohibit most health plans from using or disclosing genetic information for underwriting purposes
- Patients may pay out of pocket in full and instruct their provider to refrain from sharing information about their treatment with their health plan
- Federal Common Law of Agency – the law holds Business Associates and
Subcontractorsto the same standards required of Covered Entities. They are subject to the same fines and penalties as Covered Entities
- Healthcare providers can share vaccination records with schools directly with a written or verbal release from the student’s parent or guardian
- The Omnibus Rule adopted HITECH’s prohibition against the marketing, fundraising, and sale of PHI without authorization3
The marketplace is still waiting for an HHS ruling on whether individuals whose PHI has been released can share in the fines. If that happens, the number of suits will increase rapidly.
HIPAA, HITECH, Omnibus Rule: The Building Blocks of Privacy and Security
Fully understanding HIPAA, HITECH and the Omnibus Rule is an intimidating responsibility. Not many people love government regulations. However, the details of these laws provide template that can protect your business from hackers.
Rob McDonald, VP of Customer Relations at Virtru, a data protection company, explains, “Laws like HIPAA and HITECH makes business sense when they are implemented properly because they help protect your company’s business intelligence.”
In conclusion, HIPAA, HITECH, and the Omnibus Rule are the building blocks of HIPAA compliance. Remember, when there is a breach, fines apply to Covered Entities, Business Associates, and Business Associate Subcontractors. Above all,
May 18, 2020
With the onset of COVID-19, many employers have had to face the possibility of the virus entering the workplace. Normally, under the Americans with Disabilities Act (ADA), employers are prohibited… Read More ›Read More
May 6, 2020
On March 13, President Donald Trump declared a national emergency in response to the rapid spread of COVID-19. Two days following this statement, the U.S. Department of Health and Human… Read More ›Read More
April 20, 2020
In this blog post, we review nine email encryption vendors (Barracuda, Egress, Hushmail, Indentillect, MailHippo, LuxSci, Protected Trust, Rmail, & Virtru) who provide HIPAA compliant email encryption services that will… Read More ›Read More