Hipaa Omnibus Rule

Published on January 2017 | Categories: Documents | Downloads: 12 | Comments: 0 | Views: 149
of 5
Download PDF   Embed   Report



White Paper

Health Care Organizations and the
HIPAA Omnibus Rule
Security Measures to Ensure Patient and Provider Privacy


(866) 333-2133

White Paper: Health Care Organizations and the HIPAA Omnibus Rule

Health Care — One of the Highest Regulated Industries
Health care regulations are in place to protect the well-being of both patients and providers.
Many are concerned with the privacy of patient information and require security measures
to help ensure that privacy. The Health Insurance Portability and Accountability Act
(HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH)
Act both define regulations to improve security of protected health information (PHI).
The HIPAA Omnibus Rule that went into effect on March 26, 2013 was over
500 pages. However, from a security or IT regulatory point of view, there
are seven things an organization working with PHI needs to know.

1. Compliance Date: Significant parts of the Omnibus Rule required compliance by
September 23, 2013. Security is often as much about organizational culture as it
is about technical controls and organizational culture does not evolve overnight.

2. Covered Entities, Business Associates and subcontractors are primarily
responsible: A Covered Entity (CE) who manages PHI has always been

Seven Things You
Need to Know:

responsible for complying with HIPAA and HITECH. Under the Omnibus Rule,
a Business Associate (BA) and any subcontractor or vendor who “creates,
receives, maintains or transmits” PHI are now all primarily responsible to
comply with HIPAA and HITECH. While a BA agreement is required for all BAs,
the agreement is not necessary to create this responsibility for the BA.
BAs and subcontractors, who have been delegated a function, activity
or service by the BA, are not only primarily responsible for compliance,
but can also be audited for this compliance (or lack thereof), and
may face fines or additional sanctions if found noncompliant.

3. Covered Entities must get proof of compliance from BAs: Under the Omnibus
Rule, a CE is responsible for ensuring that their BAs are taking appropriate
compliance actions. CEs are required to obtain “satisfactory assurance” that
all PHI managed by the BA receives security and privacy protections that meet
the requirements of HIPAA, HITECH and other portions of the Omnibus Rule.

1. Compliance date
2. CEs and BAs are responsible
3. CEs must get proof of compliance
from BAs
4. Unauthorized use or disclosure of
PHI is assumed to be a breach
5. If an HHS review reveals even
the possibility of willful neglect they
are required to initiate a formal
6. No penalty cap
7. Enhanced privacy rules may require
updated privacy notices


White Paper: Health Care Organizations and the HIPAA Omnibus Rule

The most important element is not only that organizations must be HIPAA/HITECH
compliant, but that their compliance programs must be able to produce enough
documentation and other information that the organization can prove they are
compliant. Proving compliance has historically been one of the most difficult parts
of a security program, but under the Omnibus Rule it must be an integral part.

4. Disclosure of PHI is assumed to be a breach: Previously, if the CE or BA
had reasonable expectation that any improperly disclosed PHI had NOT been
accessed, they did not have to do additional investigation, and did not have to
report that improper disclosure. This was more of an “innocent until proven guilty”
point of view. Under the Omnibus Rule, the unauthorized use or disclosure of
PHI is assumed to be a breach until the CE or BA can demonstrate that there
is a low probability that the PHI has been compromised. A CE or BA must now
take action as if this unauthorized disclosure is a breach until they can prove
otherwise. The CE or BA is now “guilty until proven innocent,” a small difference
that can have a big impact on how they handle improper disclosures.
This should also be included in the HIPAA compliance documentation —
items that must be properly documented as part of the organization’s HIPAA
program — so retaining the proof that a proper investigation has been
completed and a disclosure was not a breach, is a formal process.

5. Formal investigation required by auditor: Under HIPAA and HITECH, there
was some discretion on what actions the U.S. Department of Health and
Human Services (HHS) could take when seeing “willful neglect,” which is
the most serious classification of a source of breach. Under the Omnibus
Rule, if an HHS review reveals even the possibility of willful neglect they
are required to initiate a formal investigation. Guidelines also state that
the violating organization will be subject to additional sanctions if the
auditor determines that a breach did actually involve willful neglect.

6. No penalty cap: The Omnibus Rule is essentially silent on penalty caps for
violations. HITECH had language that seemed to limit the total fines that could be
assessed, but the language has changed for the Omnibus Rule. The Omnibus Rule
states that the business may be assessed civil penalties up to $1.5 million for all
violations of an identical HIPAA requirement in a calendar year. A CE or BA can be
assessed additional penalties in the event of “willful neglect.” The CE or BA can
also be assessed additional civil penalties for violations that are not “identical.”


Proving compliance with the
Omnibus Rule is an integral
part of a security program.

White Paper: Health Care Organizations and the HIPAA Omnibus Rule

If a Health and Human Services auditor finds a significant violation, the CE,
BA or subcontractor can be assessed up to $1.5 million in civil penalties
for that one specific type of violation. If the auditors find a second violation,
the CE or BA can be assessed up to another $1.5 million for that one. In
addition, HITECH expanded penalties to enable attorneys general from
any state affected by a breach to seek additional compensation from
the CE, BA or subcontractor. Technically, the ultimate penalty is at the
discretion of the HHS, meaning that there is effectively no penalty cap!

The ultimate penalty is at the
discretion of the HHS, meaning that
there is effectively no penalty cap.

The following examples demonstrate the types of fines that the U.S.
Department of Health and Human Services is willing to assess:

The $1.5M fine against BlueCross BlueShield of Tennessee for a 2010
breach that resulted in the theft of 57 unencrypted hard drives.

Download the HIPAA
Omnibus Rule

The $1.7M fine against the State of Alaska Department of Health and Social
Services for a 2012 breach. While the breach was originally traced to an
unsecured storage device that had been stolen from an employee’s vehicle,
investigations revealed a sequence of non-compliant activities and lack of
an active compliance program.

The full text of the Omnibus
Rule can be found online at

7. Enhanced privacy rules may require a new Notice of Privacy Practices:
There are numerous updates to patient privacy requirements. To simplify, the
Omnibus Rule expands patient rights and notification requirements. The Omnibus
Rule restrictions place limits on a physician providing marketing material to a
patient and increases notification requirements for fundraising activities and the
sale of PHI. These are changes from the interim rules, so a health care organization
needs to update its privacy policies and notifications in meaningful ways.
While these are the most significant points in the Omnibus Rule from a security
viewpoint, the final rules do make other requirements on internal practices.
Why the extra emphasis on compliance and reporting? Health care organizations
with limited operating budgets tend to focus on operations rather than compliance.


Extra emphasis has been placed on
compliance and reporting because
health care organizations with limited
budgets focus on operations rather
than compliance.

White Paper: Health Care Organizations and the HIPAA Omnibus Rule

Solutionary Managed Security Services
Solutionary Managed Security Services provide 24/7 log monitoring and management

Solutionary Services

as required by HIPAA and other compliance mandates. The Solutionary ActiveGuard

to Support HIPAA/

Portal provides security and compliance reporting to simplify audits.

HITECH Compliance

Solutionary is a trusted security advisor in the health care industry with demonstrable

Solutionary can determine

understanding of the entire health care value chain. Solutionary is an expert in protecting

and ensure compliance

data while also enabling health care organizations to fulfill their mission — to save lives.

with HIPAA, HITECH and


Omnibus Rule requirements
through a variety of services:

Solutionary Consulting Services

• HIPAA Health Care

Solutionary Consulting Services (SCS) specializes in the delivery of security


guidance and controls validation, supporting compliance and protecting
data with security mandates around HIPAA and HITECH. SCS consultants

• Third Party (BA)

engage in recurring, scheduled security initiatives or short-term, one-time


projects; whichever best meets the needs of the organization.

• Log Monitoring

About Solutionary

• Security Device

Solutionary, an NTT Group security company, is the next generation managed security

• Vulnerability

services provider (MSSP), focused on delivering managed security services, global


threat intelligence and security consulting services. Comprehensive Solutionary security
monitoring and security device management services protect traditional and virtual
IT infrastructures, cloud environments and mobile data. Solutionary clients are able
to optimize current security programs, make informed security decisions, achieve

Learn More

regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard®
MSSP platform uses multiple detection technologies and advanced analytics to
protect against advanced threats. The Solutionary Security Engineering Research Team

To learn more about security

(SERT) researches the global threat landscape, providing actionable threat intelligence,

consulting services and to

enhanced threat detection and mitigating controls. Experienced, certified Solutionary

meet your compliance needs,

security experts act as an extension of clients’ internal teams, providing industry-leading
client service to global enterprise and mid-market clients in a wide range of industries,
including financial services, health care, retail and government. Services are delivered

contact Solutionary today at
[email protected]

24/7 through multiple state-of-the-art Security Operations Centers (SOCs).
Contact Solutionary at [email protected] or 866-333-2133
Solutionary, an NTT Group Security Company, is the leading pure-play managed security services
provider (MSSP), focused on delivering managed security services and global threat intelligence.
ActiveGuard® US Patent Numbers: 7,168,093; 7,424,743; 6,988,208; 7,370,359; 7,673,049; 7,954,159; 8,261,347.
Solutionary, the Solutionary logo, ActiveGuard, the ActiveGuard logo, are registered trademarks or service marks of
Solutionary, Inc. or its subsidiaries in the United States. Other marks and brands may be claimed as the property of
others. The product plans, specifications, and descriptions herein are provided for information only and subject to change
without notice, and are provided without warranty of any kind, express or implied. Copyright ©2014 Solutionary, Inc.


Solutionary, Inc.
9420 Underwood Avenue
Omaha, NE 68114


Sponsor Documents

Or use your account on DocShare.tips


Forgot your password?

Or register your new account on DocShare.tips


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in