The U.S. Department of Health and Human Services has issued a final set of regulations that address several key areas under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Under the Health Information Technology for Economic and Clinical Health Act, which was passed in 2009, some existing HIPAA requirements were amended as the HITECH Act was implemented in phases. The Omnibus Rule, which HHS issued in January, finalizes the HIPAA regulations affected by HITECH and adds new provisions, such as protections for genetic information.
NASW Associate Counsel Sherri Morgan said the HIPAA Omnibus Rule addresses areas such as the privacy and security rules, enforcement provisions, and general changes that allow for more administrative flexibility.
Social workers who are subject to HIPAA will need to amend notices of privacy, revise HIPAA forms and policies, and update business associate agreements under the HIPAA Omnibus Rule, Morgan said. NASW’s online sample HIPAA forms will be updated consistent with the new requirements and social work ethical standards.
“The changes made under the Omnibus Rule add valuable protections for patient privacy,” Morgan said. “A key change is that contractors for health providers and health plans will be directly subject to HIPAA enforcement actions, as well as any subcontractors who have access to patient identifying health information.”
Other changes include patient authorization for the use of patient information in marketing, privacy protections for self-pay clients, a ban on use of genetic information for health-plan underwriting, changes to how risk of harm from privacy breaches is assessed, and an expiration of HIPAA privacy protections 50 years after a patient’s death.
“There are also specific penalties for those who ‘willfully neglect’ to comply with the HIPAA requirements,” Morgan said, “so social workers are strongly encouraged to review their compliance plan and keep a file to document the specific actions they take to meet the new standards.”
The 2013 Omnibus HIPAA Rule is effective as of March 26, 2013, with a compliance date of Sept. 23, 2013.