Reimbursement Page By Devon Bernard
Implementing the HIPAA Omnibus Rule The brand new rule may affect your agreements with business associates and breach notification policies
T KEY TERMS AND DEFINITIONS FROM HIPAA • Covered Entity: An organization that must comply with all HIPAA rules and regulations when using/creating PHI. As a health-care provider, you are considered a covered entity. • Disclosure: The means by which a covered entity communicates PHI to an outside entity, and is normally allowed under HIPAA. • Protected Health Information (PHI): Information created by a health-care provider that is used to identify an individual for the purpose of treatment and billing. PHI also is referred to as individually identifiable health information, and could be such information as Medicare ID or Social Security numbers. • Secured: Any PHI that has been rendered unusable, unreadable, or indecipherable by accepted methods. These methods include encryption for electronic records or shredding for paper information. • Unsecured: Any PHI that has not been destroyed, made unreadable, or made unusable by acceptable methods. • Use: Refers to acceptable, under HIPAA, disclosures of PHI in the daily operations of a business; for example, PHI used for treatment or billing.
O&P Almanac APRIL 2013
he final Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule was published by the Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) on Jan. 25, 2013. The intention of the rule is to implement new privacy, security, and enforcement provisions to provide greater protection to a patient’s privacy and strengthen the ability of the government to enforce HIPAA. With an effective date of March 26, 2013, and a mandatory compliance date of Sept., 23, 2013, this new rule is based on and modifies provisions or statutory changes that were first introduced and enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
off guard. However, there are some changes that will alter your business practices, including updating your Notice of Privacy Practices, creating new business associate agreements, and updating your breach notification protocols. Several changes from the HITECH Act to the final Omnibus Rule may have an impact on your current business practices and HIPAA policies and procedures. The changes have been divided into four categories: business associates and business associate agreements, breaches and breach notifications, patients’ rights, and compliance and enforcement.
What You Need To Know
A business associate (BA) is a person or entity that provides services on behalf of or to covered entities, and requires the use and disclosure of PHI. Examples of BAs include but are not limited to third-party billers, accounts, or clearinghouses. With the new rule, the role of the BA hasn’t changed, but its definition has changed: A BA is any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This expanded definition includes any subcontractors that a BA may use to carry out the duties assigned to it by a covered entity.
The HITECH Act was enacted as part of the stimulus bill and signed into law on Feb. 17, 2009. The purpose of HITECH was to further advance the use of electronic communications in the health-care arena; but it also expanded the reach of HIPAA’s privacy and security provisions. In late 2009, HHS released its interim rules for the new privacy and security provisions of the HITECH Act and they became effective; active enforcement began in 2010. Thus, a lot of the changes brought about by the Omnibus Rule are not new and should not catch you completely
Businesses Associates and Business Associate Agreements