The Omnibus Disclosure: Crucial for HIPAA Specialists to Understand

The Health Insurance Portability and Accountability Act’s (HIPAA) Omnibus Rule came into force from September 23, 2013; based on the HITECH (Health Information Technology for Economic and Clinical Health) Act’s stringent guidelines for patient data privacy.

The HIPAA Omnibus rule puts the onus on the healthcare organization to analyze and prevent breaches in PHI (Protected Health Information). The healthcare organization will be responsible to pay fines for any breach of patient data security. Apart from higher alertness, this requires upgraded EMR (Electronic Medical Record) software and training to medical personnel.

The fines to be paid for breach of disclosure through non-adherence to HIPAA Omnibus Rule can start at $100 and go up to $50,000 per violation. Even greater fines exist under the rule, if it is proven that the breach was committed willfully and there was an absence of any corrective measure which could have been taken. In this case, the fine can be as high as $150,000.

HIPAA specialists within the industry now have greater responsibility and would play an important role in ensuring correct adherence to the Impermissible Disclosure and Use of Protected Health Information (PHI) as per HIPAA Omnibus Rule.

HIPAA Specialists should consider various factors and run several analysis for the new HIPAA Omnibus compliance. For eg.:
  • PDF or DOC files may be at a higher risk as compared to specialized software with proprietary reading formats.
  • Computer with 24 hour access to the internet may be at higher risk as compared to lesser connected computers.
  • Computers without firewalls or proxy servers can be potential threat for data security breach as compared to secure firewall or proxy configurations.
  • EMR software updates and patches provided by vendor should be immediately installed. In case the vendor has not provided the same, they should be asked about it to ensure that the software is compliant with improved HIPAA Omnibus Rule requirements.
  • EMR access should be allowed to authorized personnel only. Stricter access protocols and encryption should be used for higher compliance and lowering probability of breach. Combination & longer passwords should be used, and there should be a strict policy prohibiting the sharing of computer passwords. Access control can hinder unauthorized access or data security breach to a large extent.
  • Authenticity of patient health records should be verified and made 100% error free. While this will provide for better compliance, it will also help the medical practitioner make better decisions through access to correct data
  • If a healthcare organization does not have an HIPAA specialist, they should hire a trained HIPAA specialist or hire the services of a professional company that provides HIPAA compliance support.

These stringent rules may seem challenging to follow, and can have cost implications in their implementation. However, following the rules will increase patient data security. Analyzing your systems for HIPAA Omnibus Rule compliance will help in plugging security gap, and make your security systems stronger and more reliable.