The HIPAA Omnibus Rule
A Compliance Guide for Covered Entities and Business Associates
Understand the HIPAA Omnibus Rule and what you must do to ensure compliance
The HIPAA Omnibus Rule: A Compliance Guide for Covered Entities and Business Associates explains in clear and concise language the recently published, nearly 600-page rule and preamble that revises the HIPAA Privacy, Security, Breach Notification, and Enforcement rules. This easy-to-read guide describes the revisions and offers advice for complying with new requirements and standards. Almost every covered entity and business associate will need to revise its policies and procedures because of the Omnibus Rule. This book is your first step on the path to compliance.
- Information is presented in a user-friendly format that facilitates compliance with HIPAA Omnibus Rule requirements.
- The author distills and summarizes the nearly 600-page Omnibus Rule and preamble published January 25, 2013, in the Federal Register.
- Specific examples clarify how, when, and to whom various provisions of the Omnibus Rule apply.
- The online appendix provides instantaneous access to the electronic Code of Federal Regulations.
- The Omnibus Rule Compliance Tracker in the online appendix facilitates compliance planning and management.
Chapter 1: Compliance Strategies
Chapter 2: The Evolving Definition of PHI
Chapter 3: Business Associate Changes and Their Impact
Expanded Definition of Business Associate
New Business Associate Accountability and Liability
Chapter 4: Business Associate Contracts and Data Use Agreements
Business Associate Contracts and Other Arrangements
Data Use Agreements
Chapter 5: Enhanced Individual Rights
PHI Disclosure Restrictions for Out-of-pocket Payments
Individuals’ Requests for Copies of PHI
Chapter 6: Greater Protection for PHI
Marketing and PHI
Sale of PHI
Fundraising and PHI
Underwriting and PHI
Chapter 7: Facilitating PHI Use and Disclosure
Decedents’ PHI Disclosed to Family and Others
Immunization Status Disclosed to Schools
Chapter 8: Identifying Breaches
Presumption of Breach
Revised Risk Assessment
Exceptions: Low-risk Situations
Breach of Limited Data Sets
Chapter 9: Privacy Notice Impact
Material Changes to the Privacy Notice
Distribution of the Revised Privacy Notice
Chapter 10: Enforcement
Business Associate Contract: Sample Provisions
HIPAA/HITECH Act Administrative Simplification Penalties
Omnibus Rule Compliance Tracker
Bulk orders available. Call 800-650-6787 to learn more.
About the Authors
Kate Borten, president of The Marblehead Group in Marblehead, Mass., offers a unique blend of technical and management expertise, information security and privacy knowledge, and an insider’s understanding of the healthcare industry. Her company, founded in 1999, serves the full spectrum of covered entities and their business associates with respect to understanding privacy and security regulations, establishing and enhancing formal privacy and security programs, and assessing risk and regulatory compliance. Borten has more than 20 years of experience designing, implementing, and integrating healthcare information systems at world-renowned medical facilities, including Massachusetts General Hospital, where she was responsible for system development.
Published: May 2013