First, a little background on exactly what the Omnibus Rule is. The American Recovery and Reinvestment Act of 2009, more commonly known as the “stimulus package,” made billions of dollars available to accelerate the adoption of electronic medical records. The stimulus also tacked on another amendment to HIPAA — the HITECH (Health Information Technology for Economic and Clinical Health) Act, which proposed expansion of existing HIPAA Privacy, Security, and Enforcement rules that govern the release of protected health information (PHI) and the process of reporting information breaches. As of September 23rd, those proposed expansions are now cemented under the Omnibus Rule.
What does this mean for SMBs? Well, the most important change is to whom HIPAA applies. In the past, HIPAA rules were aimed primarily at covered entities (CEs) — hospitals and other direct health-care providers — while the third-party business associates (BAs) who handled or processed PHI were bound by contract but didn’t face direct enforcement. Now, under the Omnibus Rule, BAs — legal, accounting, financial, claims processing, or billing — are also “on the hook” to follow HIPAA’s newly beefed up regulations. What do those regulations do?
• Strengthen limitations on the use and disclosure of PHI
• Prohibit the sale of PHI without individual authorization
• Expand individuals’ rights to receive electronic copies of their PHI
• Adopt enhanced rules about breach notification
• Increase civil and criminal prosecution, along with monetary penalties, as a result of breaches
Sound confusing — and even scary? CMIT Solutions is here to help. As a trusted technology advisor that focuses on excellence in business operations, we’re implementing specifically tailored HIPAA Compliant Managed Services™. Below are examples of HIPAA-related questions we can ask to determine whether the new rules apply to your business, along with policies we can recommend to ensure you and your clients are compliant.
• Does your company have a properly trained employee knowledgeable with HIPAA compliancy? Whether it’s a full-time certified Healthcare Security Officer (HSO), or a current employee that devotes some time to achieving knowledge of the topic, his or her job won’t be done in one quick burst. Instead, ideal HIPAA training is robust and ongoing, ensuring that your company cultivates a culture of compliance backed up by strong business associate agreements (BAAs).
• If you handle electronic health records (EHR) or protected health information (PHI), are they encrypted and protected? Encryption is imperative for any type of EHR or PHI. But security doesn’t stop there. Designing workflows and administrative safeguards that limit access to EHR or PHI through physical and technological means can prevent “bad actors” from opening your business up to civil and criminal prosecution, along with hefty monetary penalties.
• Do you have policies in place to handle privacy or security breaches? Any breach — defined as use or disclosure that compromises the privacy or security of PHI and poses a significant risk of financial, reputational, or other harm — must be reported to the Department of Health and Human Services (HHS). If the breach affects less than 500 individuals, it can be reported annually; if it affects more than 500 individuals, it must be reportedly immediately to HHS and the media. The new Omnibus Rule also enacts more aggressive enforcement and increased penalties, up to an annual maximum of $1.5 million.
• Are your vendors, agents, and subcontractors compliant? New rules dictate that, if you or your company knows about a compliance violation by a business associate (BA), you’re required to take reasonable steps to correct it. If that fails, you’re required to terminate that person or company’s business associate agreement (BAA).
• Have your IT solutions been audited to guarantee that they’re HIPAA compliant?Many vendors will say they’re compliant, but your due diligence is necessary to make sure. CMIT’s flagship offerings — Marathon remote monitoring and management, Guardian data backup and disaster recovery, Help Desk user support, and Anti-Spam email protection and encryption — are fully HIPAA compliant and backed by CMIT’s integrity, excellence, and nationwide standards.
• Are your solutions right-sized for your small business? Being authentically compliant isn’t easy, especially for small businesses that might not be able to afford another employee focused strictly on HIPAA processes.
• Do you have best-practice policies in place to address all of the above elements? Simply meeting compliant requirements is great — but implementing best-practice policies that go beyond compliance to mitigate risks is even better.
Before September 23rd, CMIT will be rolling out HIPAA Compliant Managed Services™, which can help guide you through this new maze of health care rules and regulations. If compliance — and, by extension, integrity and excellence — are important to you and you business, contact your trusted CMIT Solutions advisor NOW for a HIPAA compliance appointment.