OR WAIT null SECS
The Omnibus Final Rule (Final Rule) entitled "Modifications of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act" became effective on March 26, 2013.
Editor's Note: Part I of this article can be viewed here.
The Omnibus Final Rule (Final Rule) entitled “Modifications of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act” became effective on March 26, 2013.
The Final Rule has created major modifications with compliance and enforcement implications which will affect stakeholders involved in transactions for the use and disclosure of protected health information (PHI) and the conduct of clinical research.
Here are some of the modifications which are subject to enforcement by the Office of Civil Rights (OCR) and requiring compliance by September 23, 2013.
Business Associates are directly impacted by the modifications to the Privacy and Security Rules, and both Covered Entities and Business Associates are directly impacted by the modifications to the Breach Notification Rule.
Covered Entities are directly impacted by the modifications to the Privacy Rule relating to compound authorizations, authorization for future research use and the use of a deceased person’s PHI.
OCR can enforce any breach under the modified HIPAA Rules.
Privacy and Security Rules: Transactions involving PHI
Privacy Rule: Clinical Research
Breach Notification Rule
Covered Entities and Business Associates must amend their BAAs by the September date. Existing BAAs have the benefit of a transition period until September 22, 2014.
To successfully come into compliance, Covered Entities considers it as a joint effort with Business Associates. “The Covered Entity and Business Associate must work together to ensure that privacy is seamless throughout the process,” states Raymond Braeunig, Chief Compliance and Privacy Officer, Rowan University School of Osteopathic Medicine.
“Not only does the Business Associate has more responsibilities but the Covered Entity must ensure those responsibilities are understood and the Covered Entity must verify the Business Associate has the security measures in place in accordance with the rules.”
To reflect this increase in responsibilities, each BAA must be modified to:
In addition to modifying the BAAs, “the next step is for the Covered Entity to outline a risk assessment for the Business Associate and perform a walkthrough of the Business Associate’s operation(s) as well as any Business Associate subcontractor to ensure the privacy and security measures are in place, as the Covered Entity will be ultimately responsible as well to ensure compliance with the rules,” concludes Braeunig.
Covered Entities must also amend their policies and procedures by the September date “in order to take advantage of the enhanced efficiency in research initiatives that the Final Rule provides and to come into compliance with the requirements of the Final Rule,” states Elan Czeisler, Director, Institutional Review Board (IRB) and Human Research Protection Program, NYU Langone Medical Center.
“In collaboration with the Office of Research Compliance and Office of Legal Counsel, we are in the process of amending our policies and procedures to be compliant with the Final Rule and reflect changes relating to compound authorizations, authorization for future research use and the use of a deceased person’s PHI."
In addition to these amendments, training is key to sensitize the workforce to the requirements of the Final Rule and Covered Entities need to ensure that their workforce understands the new HIPAA Rules. “We plan to conduct training for all of our clinical personnel to sensitize them to the new requirements and the increased level of scrutiny and potential enforcement by OCR,” states Braeunig.
The changes to the HIPAA Rules are likely to have an impact on the conduct of clinical research and transactions involving PHI. The relationships between Covered Entities, Business Associates and OCR are also likely to be redefined requiring continuous monitoring.
The territory is uncharted and future regulatory developments may come into play.
“We plan to remain on the lookout for future regulatory developments and guidance on these and other issues,” concludes Czeisler.
Future regulatory developments and guidance may be found on http://www.hhs.gov/ocr/office/index.html.
View the related blog here.
Lina Genovesi, PhD, JD www.linagenovesi.com