The final HIPAA Omnibus Rule
One of the perks (if you can call it that) of working in healthcare is that we have the opportunity to explore the regulatory and business drivers that impact the industry. Those of us who support clients with communications strategies need to be especially attuned to changes. The Dodge team, in fact, is committed not only to staying on top of, but ahead of, trends that afford our clients the opportunity to contribute thought leadership and advance their marketing message.
One regulatory change we’ve kept our eye on is the final HIPAA Omnibus rule, which went into effect on March 26. No, I am not a new form of masochist that enjoys the minutia of patient health information privacy and security policies. But the truth is that you can’t help but find this stuff interesting when you work with it on a daily basis. Plus, from a PR/marketing perspective, there are some quick and simple strategies that companies can utilize to get the most out of their investments as they work on becoming HIPAA-compliant.
Here are a couple of key changes in the HIPAA Omnibus rule you might want to familiarize yourself with…
One of the most important changes applies to breach notifications. Under the old rule, breaches were not required to be reported unless they posed a “risk of significant harm.” The new standard assumes a risk has occurred. Basically, the HIPAA Omnibus rule presumes providers are guilty of harming patients when data is breached. You have obviously heard of “innocent until proven guilty” in our legal system. Under the final HIPAA Omnibus rule, when it comes to breach notifications, the phrase “guilty until proven innocent” is more applicable.
The Definition and Liability/Obligation of Business Associates are Expanded
Arguably, the HIPAA Omnibus rule has the greatest impact on business associates. Before the new standards went into effect only covered entities (health care providers, health systems, health plans and clearinghouses) were responsible for reporting data breaches. While these entities were required to contractually obligate any business associates (organizations that help covered entities to provide health services) safeguard protected health information, these business associates themselves were under no obligation to report data breaches directly to the U.S. Department of Health and Human Services (HHS).
As you can guess, that all changed under the new standards. Business associates are now required to report breaches directly to HHS and may be assessed the same monetary and criminal penalties for violations as covered entities.
Additionally, the definition of a business associate was expanded to include:
- Any downstream subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate, even if they have an indirect relationship with a covered entity;
- Health information organizations, e-prescribing gateways, or other persons that provide data transmission services to a covered entity that require routine access to PHI; and
- Any person that offers a personal health record to individuals on behalf of a covered entity.
It has to be Done
With the deadline to comply set for September 23, many organizations that were not considered a business associate under the previous rule are probably scrambling right now to meet the requirements of the final HIPAA Omnibus rule. The time and resources required to meet the deadline must be significant. HHS Secretary Kathleen Sebelius stated, “Much has changed in healthcare since HIPAA was enacted 15 years ago. The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.” Admittedly, that statement is as safe and cliché of a press release quote you will ever see. If I had to guess, that is probably kind of the point. The concept of the rules and regulations associated with protecting patients’ health information changing with the evolving landscape of the healthcare industry is safe and cliché. It needs to be done and organizations have to do it despite the costs.
Capitalize on Investments
On the upside, forward-thinking organizations who are already investing funds into HIPAA-compliance can be proactive about their PR/marketing efforts and get some added value relatively quickly. Considering the rule recently went into effect, it is top of mind for media outlets and potential customers alike. Bylined articles, media placements, blogs and social media are some quick and simple ways to generate thought leadership around this topic. From a branding perspective, companies who are or soon to be HIPAA-compliant can capitalize on timing to remind new and potential customers of that fact through eblasts and website copy.
Obviously, there are more substantial, long-term strategies that companies can employ to generate thought leadership and brand awareness. But industry trends coupled with investment represent effective opportunities for marketing and PR. It’s almost a crime for companies not to capitalize on them.