The Department of Health & Human Services Office of Civil Rights (OCR) on June 6, 2013 released an advance copy of to Technical Corrections (Technical Corrections) to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notifications Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Rule) previously published on January 25, 2013. Health plans, health care clearinghouses, health care providers and their business associates will want to be sure to take into account the Technical Corrections as they rush to update business associate agreements, policies, practices, training and other HIPAA compliance to comply with the Omnibus Rule changes by the September 2013 deadline.
Technical Corrections To Omnibus Rule Released
OCR published the Omnibus Rule to implement changes to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (“the HIPAA Rules”) enacted by the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) and section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008, as well as to address public comment received on the interim final Breach Notification Rule and to other changes to the HIPAA Rules. The Technical Corrections are scheduled for publication in the Federal Register on June 7, 2013.
The Technical Corrections correct various typographical errors and other oversights in the Omnibus Regulations as originally published. While many of these corrections have limited material impact, certain corrections do have substantive implications. For instance, by correcting errors in references to other provisions of the Omnibus Regulations, the Technical Corrections clarify that the authority of OCR to grant an extension of time pursuant to § 160.508(c)(5) for violations before February 18, 2009 also applies to violations occurring on or after February 18, 2009, as there is for violations occurring prior to February 18, 2009.
Health plans, health care clearinghouses and their business associates will need to review and take into account the Technical Corrections as they work to review and update their policies and practices for handling and disclosing personally identifiable health care information (“PHI”) in response to the Omnibus Rule.
Get Moving To Update HIPAA Compliance For New Omnibus Rule Requirements As Amended By Technical Corrections
Covered entities and their business associates have a lot to accomplish between now and September to update their business associates and comply with other changes made by the Omnibus Rule by its September 2013 deadline. Among other things, the Omnibus Regulations:
- Revise OCR’s HIPAA regulations to reflect the HITECH Act’s amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA’s civil and criminal penalties for violating HIPAA’s Privacy, Security, and Breach Notification rules;
- Update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose PHI is breached, HHS and in some cases, the media when a breach of unsecured information happens;
- Update interim enforcement guidance OCR previously published to implement increased penalties and other changes to HIPAA’s civil and criminal sanctions enacted by the HITECH Act;
- Implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose PHI for marketing and fundraising purposes and prohibit Covered Entities from selling an individual’s health information without getting the individual’s authorization in the way required by the Omnibus Regulations;
- Update OCR’s rules about the individual rights that HIPAA requires that Covered Entities to afford to individuals who are the subject of PHI used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic PHI in electronic form;
- Revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of PHI protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
- Clarifies and revises other provisions to reflect other interpretations and information guidance that OCR has issued since HIPAA was passed and to make certain other changes that OCR found appropriate based on its experience administering and enforcing the rules.
Liability & Enforcement Risks Heighten Need To Act To Review & Update Policies & Practices
The restated rules in the Omnibus Rule make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks. OCR even prior to the regulations has aggressively investigated and enforced the HIPAA requirements. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach; OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website; Providence To Pay $100000 & Implement Other Safeguards.
Coupled with statements by OCR about its intolerance, the HONI and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.
All Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable. In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.
For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs
If you need help with HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.
Nationally recognized for her extensive work, publications and leadership on HIPAA and other privacy and data security concerns, Ms. Stamer has extensive experience representing, advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical and other privacy and data security, employment, employee benefits, and to handle other compliance and risk management policies and practices; to investigate and respond to OCR and other enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.
A Fellow in the American College of Employee Benefit Counsel, State Bar of Texas and American Bar Association, Vice President of the North Texas Health Care Compliance Professionals Association, the Former Chair of the ABA RPTE Employee Benefit & Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Council Representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer serves as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve in 2013 as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.
In addition to this extensive HIPAA specific experience, Ms. Stamer also is recognized for her experience and skill aiding clients with a diverse range of other employment, employee benefits, health and safety, public policy, and other compliance and risk management concerns.
Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a member of the Editorial Advisory Board and expert panels of HR.com, Employee Benefit News, InsuranceThoughtLeadership.com, and Solutions Law Press, Inc., management attorney and consultant Ms. Stamer has 25 years of experience helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit and management policies and practices. Ms. Stamer often has worked, extensively on these and other workforce and performance related matters. In addition to her continuous day-to-day involvement helping businesses to manage employment and employee benefit plan concerns, she also has extensive public policy and regulatory experience with these and other matters domestically and internationally. A former member of the Executive Committee of the Texas Association of Business and past Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Ms. Stamer served as a primary advisor to the Government of Bolivia on its pension privatization law, and has been intimately involved in federal, state, and international workforce, health care, pension and social security, tax, education, immigration, education and other legislative and regulatory reform in the US and abroad. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.
For help with these or other compliance concerns, to ask about compliance audit or training, or for legal representation on these or other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:
- OCR Gives HIPAA Guidance On Safety Disclosures
- Id & Manage Hidden Employee Benefit Exposures In Business Insolvency Or Other Transactions
- Final Regulations Update HIPAA Health Plan Wellness Program Rules
- Beware: Not All Products Marketed As “Fixed Indemnity Coverage” Products Are HIPAA/ACA Exempt
- Updated Kaiser Family Foundation Tool May Help Project Which Employees Will Get Exchange Subsidies
- New IRS Guidance On ESOP Investment Diversification Reminder To Tighten Compliance, Risk Management
- EBSA Releases Model ACA Notices Discussing Coverage Options
- Group Health Plans &No-Fault & Worker’s Comp Ruled Primary Plans When Coordinating With Medicare Advantage Plans
- Changing Plan Years Won’t Extend Health Plan’s Affordable Care Act Annual Limit Waiver Eligibility
- Former White House Cybersecurity Coordinator Schmidt, Stamer & Others Share Key HIPAA & Other Privacy & Data Security Insights 5/21 In LA
- Strengthen Health Plan Privacy Compliance & Risk Management Using Lessons From New OCR Provider & Consumer Tools
- Changing Plan Years Won’t Extend Health Plan’s Affordable Care Act Annual Limit Waiver Eligibility
- Deadline To Send ACA Summary of Benefits & Coverage Adds Pressure To Finalize 2014 Plan Designs As Agencies Add MEC & MV Disclosures To SBC
- Study Finds Down Economy, Not Health Care Reform Accounts For Slower Health Care Cost Increases; Projects Renewed Costs When Economy Improves
- Tax-Related ID Theft Growing Problem For IRS, Taxpayers
- Tax Saver’s Credit Helps Low & Moderate Income Workers Save For Retirement; Possible Tool To Help Boost Their Participation In Employer Plans
- Self-Insured Health Plan Sponsors, Health Insurers Brace To Pay New ACA-Imposed Fees
- 1st OCR Small HIPAA Breach Settlement Shows Plans, Other Covered Entities At Risk From Small Breach Reports Too
- Labor Department Targeting Businesses Violating Overtime, Other Wage & Hour Laws
- Company President, Officer Can’t Use Bankruptcy To Avoid Liability For Using Plan Money For Company Operations
- Peter Madoff 10 Sentence For Defrauding ERISA Plans Reminder Manage Plan Investment Responsibilities
- IRS Plans To Issue 2013 Withholding Guidance By 12/31
- ESOP, Other Employee Plan Investments In Company Stock Land Plans, Fiduciaries, Sponsors & Others In Hot Water
- Confirm Qualified Plans Updated By Reviewing Against 2012 Required Plan Qualification Requirements Change List
- Catch Up On Health Reform & Other Key Employee Benefits & Insurance Issues Emerging Issues and Litigation Relating to Life, Health, Disability and ERISA Symposium In Ft. Lauderdale
- 2013 Standard Mileage Rates Announced
- IRS Shares Rules Allowing Government Plans To Switch Remedial Amendment Cycles
- Reminder To Amend Health FSA Plan Terms To Include ACA $2500 Contribution Before 2013 Plan Year Begins
- Bank’ $1Million Plus Overtime Settlement Shows Risks of Misapplying FLSA’s Administrative Exemption
- Labor Department Serves The Christmas Light Co. & Its Owner With Holiday Season FLSA Lawsuit
- Boston Hides and Furs Ltd. Sued For $1 Million For Alleged Willful FLSA Wage & Hour Law Violations
- 2013 Maximum Yearly PBGC Guaranteed Pension Benefit Amount To Increase Slightly In 2013
- Rare Court Order Telling Union To Stop Filing Grievances Example Of Employer Risks When Caught Between Competing Unions
- IRS OKs Retirement Plans Allowing Plan Loans & Hardship Withdrawals To Hurricane Sandy Victims
- Agencies Release ACA Wellness, Adult Pre-Existing Condition, Essential Health Benefits Guidance; Briefing Planned
- New Employee Smart Phone App New Tool In Labor Department’s Aggressive Wage & Hour Law Enforcement Campaign Against Restaurant & Other Employers
- 12 Steps Every Employer With A Health Plan Should Do Now No Matter Who Wins the Election
- Boost Employee Recognition of Value Of Employer & Other Retirement Savings Tools & Plans
- Texas Landscaper’s $106,000 In Minimum Wage & Overtime Settlement Reminds Employers To Prepare For FLSA Enforcement
- NLRB’s Nailing of Bel Air Hotel Reminder RIFs, Other Reengineering & Transactions Impacting Workforce Requirement Proper Risk Management
- Tighten Disability Discrimination Defenses As National Disability Employment Awareness Month Promises To Whip Up New Claims & Awareness
- Settlement of OFCCP Employment Discrimination Charge Reminder To ARRA, Other Government Contractors Of Heightened Enforcement Risks
- $1.25M NLRB Backpay Order Highlights Risks of Mismanaging Union Risks In Health Care & Others M&A Deals
- As EEOC Steps Up ADA Accommodation Enforcement, New DOD Apple App, Other Resources Released
- $1.5 M HIPAA Security Breach Resolution Agreement Shows Looming HIPAA Risks
- Labor Risks Rising For Employers Despite NLRB Loss Of Arizona Secret Ballot Challenge
- USI Advisors Will Pay $1.27 Million To Settle Charges It Violated ERISA Fee Disclosure Requirements
©2013 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc.™ All other rights reserved.