The Omnibus Rule went into effect on March 26, 2013. While covered entities and business associates have until Sept. 23, 2013, to comply with new restrictions and obligations, they can take advantage of the rule’s benefits immediately. These benefits include:
- Improved ability to target fundraising efforts;
- Greater ability to combine research authorization forms; and
- Less formal documentation for providing student immunization records to schools.
Covered entities also may wish to practice applying the new breach notification standard and breach risk assessment factors prior to the compliance date in September.
More information about the Omnibus Rule can be read in an alert published on Jan. 23.
Broader fundraising communications. The Omnibus Rule permits broader use of protected health information for fundraising communications. As originally implemented, the HIPAA Privacy Rule permitted only the use of demographic information and dates of care for fundraising purposes. The Omnibus Rule now also permits the use of department of service, treating physician, outcome information, and health insurance status. This means that a covered entity seeking to raise funds for a specific program can target its fundraising campaign to patients who have experienced positive outcomes and have conditions related to the program, and that the covered entity can avoid sending communications to individuals whose insurance status makes them unlikely to contribute. The Omnibus Rule also imposes new requirements on offering individuals an opportunity to opt out of fundraising communications, but covered entities will have until September to comply with the new restrictions.
Simplifying authorization process. The Omnibus Rule removed significant barriers to clinical research. In the past, an authorization to use or disclose protected health information in a clinical trial that conditioned trial-related treatment on the authorization (called a “conditioned” authorization) could not be combined with an unconditioned authorization (e.g., an authorization to use and disclose protected health information for a tissue bank). The Omnibus Rule now permits combining conditioned and unconditioned authorizations, allowing the individual to opt in to the unconditioned authorization. This is good news for the research community because it simplifies authorization paperwork. For example, a researcher will be able to rely on a single authorization for a clinical trial that requires execution of the authorization to participate in the trial and that also includes an opt-in (such as a check box or a second signature line) authorizing the covered entity to use and disclose the individual’s protected health information (PHI) for a tissue bank. The authorization must make clear that the individual may choose not to opt in to the tissue bank and that the choice will not impact treatment, payment, or benefits.
More flexibility with future research. The preamble of the Omnibus Rule also includes a change to HIPAA that will be a boon for the research community. Previously, HHS interpreted that an authorization for research must be study specific. A valid authorization could not authorize use and disclosure of PHI for future research. The research community has long stated that this interpretation stands as a significant impediment to beneficial secondary research efforts. The Omnibus Rule modified HHS’ interpretation to permit authorization for future research purposes which are unrelated to the study, so long as the authorization adequately describes possible future research such that it would be reasonable for the subject to expect that his or her PHI could be used or disclosed for the research.
Student immunization records
The Omnibus Rule provides covered entities with greater flexibility to disclose student immunization records. A covered entity is now permitted to disclose the immunization record of a student or prospective student to a school if: (1) state law requires the school to have proof of immunization; and (2) the covered entity obtains and documents the agreement of the parent or guardian. The parent or guardian’s agreement may be in writing (but need not satisfy the requirements for a HIPAA authorization) or oral. For example, an email from the parent or a notation of a phone call in the child’s medical record or elsewhere would suffice as documentation.
Breach notification standard
Starting Sept. 23, 2013, covered entities will need to modify how they assess whether an incident rises to the level of a reportable “breach.” They will need to assess whether the incident represents a “low probability of compromise” rather than a “significant risk of financial, reputational, or other harm” and they will need to apply four factors as part of any breach risk assessment. The next six months provide a good opportunity for organizations to start applying the new standard and the relevant factors in assessing whether to report a breach, as we expect that many entities will need to fine tune this process.
To assist covered entities in implementing these and other policy changes under the Omnibus Rule, Davis Wright recently updated its HIPAA Audit Toolkit.