HIPAA rules and regulations tend to strike fear into the hearts of healthcare providers. This set of requirements is there for good reason – to protect patient confidentiality, reinforce the rights of patients, and prevent anyone from exploiting or illegally accessing their private information.
But it can be difficult for healthcare providers, defined as covered entities, to ensure that they comply with every aspect. HIPAA’s Title II, which concerns the collection, storage, and sharing of Personal Health Information (PHI), tends to represent the greatest challenge for healthcare providers. It’s important for everyone involved to make sure that they understand all the elements of HIPAA, including the 2022 HIPAA Omnibus Rule.
As an update, the HIPAA Omnibus Rule is designed to strengthen requirements that already exist in HIPAA. It covers a number of issues, including business associate liability for data breaches; the circumstances where breaches must be reported; and situations and methods for covered entities to disclose data. It affects many aspects of healthcare management, but particularly everything concerning PHI communication.
The penalties for any PHI data breach include high fines and negative publicity that can deter patients. Clinic managers, administrators, and cybersecurity teams need to pay careful attention not just to the data that they collect and the way that they secure it, but to the manner and methods by which it is shared. Communicating PHI might be the point when data is most vulnerable.
Malicious actors often target data when it’s in transit, because protection tends to be weaker. Partners and third parties, including those legally defined as “business associates,” might not have the same level of data security or strong data privacy policies, and could expose the PHI you send. They might even intentionally share PHI with their own partners, in ways that breach your organization’s HIPAA obligations.
In this fraught landscape, it’s important to have a thorough understanding of all the implications that HIPAA’s Omnibus Rule has for your approach to PHI communication.
Patients Must Give Explicit Consent
As part of the HIPAA Omnibus Rule, covered entities have to make sure that patients give their explicit consent to sharing their PHI in various situations. While some of these might be obvious, like marketing and selling patient data, others are less so, like research purposes.
HIPAA Omnibus even regulates times when data sharing might be required by law, such as when state laws obligate healthcare providers to send individual immunization and vaccination records.
As a result, healthcare providers need to set up mechanisms to ask for and receive explicit patient opt-in to sharing their data for permitted and mandated purposes.
Email Is an Approved Medium for Communication
Given all the regulations around PHI protection, many healthcare providers set up patient portals. These are platforms that offer a secure way for patients and medical professionals to communicate, often including tools like appointment booking and repeat prescription requests.
Portals are an excellent way to give patients more control over their care, but they aren’t always the best way to send messages. Patients can get frustrated if they need to log into a portal every time they receive an appointment confirmation or reminder.
Fortunately, HIPAA Omnibus confirms that email can be used for messages, including PHI and anything that could identify the patient. Of course, this only applies for secure email that’s encrypted in transit, so that no unauthorized party can gain access to it.
Business Associates Need to Revisit Data Privacy
The HIPAA-adjacent HITECH Act already made it clear that business associates are directly liable for complying with PHI protections. But this requirement was strengthened and solidified by the Omnibus Rule.
HIPAA Omnibus extended this aspect of HITECH to any entity that works with PHI. The Office of Civil Rights (OCR) can audit these organizations and apply penalties for non-compliance directly, just like it does for covered entities.
This means that every company that handles PHI needs to make sure that it has high security for storing and sharing that information.
Vigilant Vetting for Third Parties
Just because HIPAA Omnibus holds business associates and other parties directly liable for non-compliance, that doesn’t mean that covered entities are off the hook. The OCR can and will fine both business associates and covered entities for a business associate’s PHI breach, if it feels that the covered entity didn’t put sufficient protections into place.
HIPAA Omnibus strengthens this by broadening the definition of a data breach to include any unauthorized use or disclosure of PHI. That means that if a third party uses PHI for its own marketing purposes, for example, the healthcare provider that originally provided the data could be required to report this as a breach.
Even if the OCR doesn’t apply penalties in that case, the covered entity would face all the negative publicity that comes with a data breach. Healthcare providers need to vet every partner, business associate, and third and more parties even more carefully, and reassess their own policies and protocols for data sharing.
HIPAA Omnibus Has Consequences for Healthcare Providers
Every HIPAA rule and update needs to be taken seriously, and the HIPAA Omnibus Rule is no exception. Although it eases some concerns, like explicitly permitting email communication and increased liability of business associates, it also brings a number of ways that covered entities need to raise their level of PHI protection. Carefully understanding HIPAA Omnibus and applying the right tools and policies is vital for healthcare providers to remain compliant and hold onto customer trust.
