Are You in Compliance with the HIPAA Omnibus Final Rule?

HIPAA, PHI, patient privacy, breach

They say time flies when you’re having fun but it’s a veritable rocket when you’re talking about ensuring that you’re in compliance with HIPAA. It’s been nine months since HHS released its update to the 1996 rule and six months since those new rules went into effect.

Now, as of Monday, all healthcare providers have to be in compliance or face the risk of fines of up to $1.5 million per calendar year. Unless you find that prospect appealing, now would be a great time to ensure your systems are up to snuff.

While the rule itself is a 563-page compendium of provisions, definitions and governmental minutiae, the following 4 areas will likely represent the biggest changes and potential challenges for aesthetic professionals:

Ensuring patient privacy: The Final Rule mandates that providers’ Notices of Patient Privacy (NPP) more fully describe the uses and disclosures of PHI, requires patient authorization before that information can be used for marketing purposes and gives patients the right to restrict disclosure when they pay for services in full out-of-pocket.

Codifying breach procedures: Previously, providers only had to notify patients about a breach of secure information if it posed “a significant risk of financial, reputational, or other harm to the individual.” Not anymore. The new “harm threshold” assumes any breach presents a risk, shifting the burden of proof to the provider to prove otherwise. There are exceptions (see pg. 309 of the rule) but it’s clearly better to take extra care to avoid such situations in the first place.

Managing business associate agreements: The new rule requires that “business associates will appropriately safeguard the electronic PHI they create, receive, maintain, or transmit” on your behalf. There are exceptions (FedEx, Internet Service Providers) but if a contractor — or their sub-contractor, for that matter — handles PHI, they must adhere to HIPAA regulations regarding privacy and breaches thereof. The American Health Information Management Association offers a good overview here.

Expanding patient access to health information: In conjunction with HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) is designed to give patients improved access to their health records. These days, that increasingly means electronic access and the new rule describes the conditions under which providers are required — or not — to fulfill such requests.

Doctor Takeaway

While the new HIPAA/HITECH rules are designed to be a win for patients, they don’t have to be a net loss for doctors who take the appropriate steps to remain in compliance. After all, the best way to protect yourself and your practice is to protect your patients. Likewise, it’s better to seek out legal advice from a compliance-savvy lawyer now than to find yourself needing a defense attorney later.

About Rob Lovitt

Rob Lovitt is a longtime writer and editor who believes every good business has a great story to tell. He has written for dozens of magazines and websites, including, and the inflight magazines of Alaska, Horizon and Frontier airlines.