With the implementation of the final HIPAA Omnibus Rule in March of this year, health care professionals may feel challenged to understand how best to comply with the new provisions and interpretations. To help them navigate the new rule, Eileen Elliott, partner in law firm Dunkiel, Saunders, Elliott, Raubvogel & Hand, Burlington, Vt, offers the following six tips:
1. Be familiar with the 2009 HITECH Act—in particular, HITECH’s obligations regarding breach notification.
2. Go over the enhanced breached notification requirements. The threshold for reporting is now based on the risk that public health information (PHI) has been “compromised.”
3. Understand the increased business associate liability. If you in any way create, receive, maintain, or transmit patient health information, you can now be directly liable for HIPAA noncompliance.
4. Recognize Health and Human Services’ enhanced fining authority. Because it is applied on a “per provision” basis, the maximum annual fine of $1.5 million can be multiplied several times over, depending on the number of provisions violated.
5. Note the extension of GINA requirements. All plans that are subject to HIPAA are now also subject to the Genetic Information Nondiscrimination Act (GINA).
6. Mark your calendar. In most cases, compliance is required by September 23, 2013; all contracts must be compliant by September 22, 2014.