66
christian counseling today
Vol. 20 no. 2
T
he HIPAA Omnibus Rule—
published by the U.S.
Department of Health and
Human Services (“HHS”)
on January 25, 2013—includes some
important modifications of the Health
Insurance Portability and Account-
ability Act’s (HIPAA) Privacy, Security
and Enforcement Rules, including
increased consumer rights and a greater
likelihood that data breaches will be
reported by covered entities (e.g., solo
counselor, group practice, treatment
facility, etc.). According to HHS Office
of Civil Rights Director, Leon Rodri-
guez, the Rule sets forth, “… the most
sweeping changes to the HIPAA Privacy
and Security Rules since they were
first implemented.”
1
The Rule, which
became effective on March 26, 2013,
requires compliance by covered entities,
generally, by September 23, 2013.
Notable key provisions of the
HIPAA Omnibus Rule of interest to
licensed Christian counselors who are
HIPAA covered entities and must pro-
tect client confidentiality are as follows:
Changes to the Notice of
Privacy Practices
A covered entity’s Notice of Privacy
Practices (“NPP”) must, in part,
include:
n
A statement regarding the right of
affected individuals to be notified
following a data breach.
n
A description of the types of uses
and disclosures of Protected Health
Information (“PHI”) that, generally,
requires authorization for disclosure
(i.e., psychotherapy notes, the use
and disclosure of PHI for marketing
purposes, and the sale of PHI). The
NPP must also make clear that
all other uses and disclosures of
PHI not described in the NPP will
only be made with the individual’s
authorization.
n
A statement regarding an indi-
vidual’s right, generally, to require a
covered entity to restrict disclosure
of PHI to a health plan if the PHI
pertains solely to a healthcare item
or service for which the individual,
or person other than the health
plan, has paid the covered entity in
full.
Increased PHI Access
by Consumers
If a covered entity maintains PHI
electronically in designated record sets,
patients can, generally, obtain an elec-
tronic copy of such records. PHI must,
generally, be provided to an individual
in the form and format desired by the
individual. If PHI is not readily pro-
ducible in that form, the covered entity
and individual can agree on a readable
electronic form and format.
n
Unencrypted E-mail.
The HHS
stressed in the comments to the
HIPAA Omnibus Rule that a
covered entity can send informa-
tion to an individual in unencrypted
e-mail if the individual is notified
of the risk involved in such disclo-
sure and still desires to receive PHI
in such format. Covered entities are
not responsible for unauthorized
access of PHI while in transmission
to the individual based on the indi-
vidual’s request.
n
Individual Requests for PHI
Disclosure and Nondisclosure.
An individual can request that a
covered entity transmit a copy of
his or her PHI to another person.
The request must be in writing and
signed by the individual. Also, as
noted previously, individuals can,
generally, restrict disclosure of their
PHI by a covered entity to a health
plan for an item or service for which
the individual, or person other than
the health plan, has paid the covered
entity in full.
n
Response Time and Fees.
A
covered entity has 30 days to
respond to an individual’s request
for access
to
, or a copy of, his or her
PHI. A 30-day extension of time
to produce the PHI is also possible.
Finally, a reasonable fee can be
charged for furnishing a copy of the
PHI to an individual.
Direct Business Associate
Responsibility for HIPAA
Compliance
Business associates are now directly sub-
ject to the HIPAA Security Rule and a
majority of requirements of the HIPAA
Privacy Rule. The HIPAA Omnibus
Rule expands the definition of business
associate and specifically names certain
entities (e.g., subcontractors of busi-
ness associates and people who provide
data transmission services with respect
to PHI to a covered entity and require
access on a routine basis to PHI).
More Stringent Breach
Notification Guidelines
The Omnibus Rule revises the defini-
tion of “breach” to make it more prob-
able that a covered entity or business
associate will need to report one. Prior
law required that a breach need only
be reported if it posed a significant
risk of financial, reputational or other
harm to the individual. Under the final
Rule, a presumption is created that the
unauthorized acquisition, access, use or
disclosure of unsecured PHI is a data
«
john sandy, J.D.
law, ethics & liability
New HIPAA Omnibus Rule Takeaways
for Christian Counselors
