Accessibility View Close toolbar

2055 N 156th St

Omaha, NE 68116 US

402-991-5200

Privacy Policy Updated Sept 2013

HIPAA OMNIBUS RULE:

NEW CHANGES TO HIPAA PRIVACY PRACTICES AND SECURITY RULES

 

The following summary provides an overview of the steps providers will need to take in each of these areas to meet the new requirements under the HIPAA Omnibus Rule. 

Breach Notification Policies and Procedures

The HIPAA Omnibus Rule lowers the standard for breach notification.  Under the previous rule, breaches were not required to be reported to the Department of Health and Human Services (“HHS”) unless they posed a “significant risk of reputational, financial or other harm” to individuals.  The new standard presumes that a reportable breach has occurred unless the covered entity or business associate, through the use of a multi-factor risk assessment, determines that there is a low probability that the protected health information (“PHI”) has been compromised by the unauthorized use or disclosure.

To demonstrate that there is a low probability that a breach compromised PHI, a provider must perform a risk assessment that addresses the following minimum standards:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made, and whether the PHI was actually acquired or viewed;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

A provider must be able to quickly perform a risk assessment that will: (1) review a potential breach; (2) identify whether it is reportable and how to mitigate the harm; and (3) remediate the problem.  Providers should revise their breach notification policies and procedures prior to September 23, 2013 to reflect this new breach analysis process.  

Notice of Privacy Practices

As a result of the changes in the HIPAA Omnibus Rule, providers will be required to revise their Notice of Privacy Practices and post their NPP in a clear and prominent location.  If the provider maintains a website, the NPP also must be posted there.  NPPs now must include the following provisions:

  • Authorizations:  A statement that the following uses and disclosures will be made only with authorization from the individual:
  • uses and disclosures for marketing purposes; and
  • uses and disclosures that constitute the sale of PHI. 
  • Breach notification statement:  A statement that the provider must notify an affected individual of a breach of unsecured PHI;
  • Fundraising disclosures:  A statement that the recipient of fundraising materials may opt out of future fundraising communications (if the provider conducts fundraising); and
  • Restrict disclosure to health plans:  A description of an individual’s right to restrict disclosures of protected health information to health plans if an individual has paid for services completely out of pocket.

The HIPAA Omnibus Rule also eliminates requirements to include information in NPPs concerning appointment reminders, treatment alternatives, and health-related benefits or services, but the rule does not require that such information be removed either.   

Business Associate Agreements

The definition of the term “business associate” has been expanded to include:  health information organizations, personal health vendors, subcontractors of the business associate, and individuals or entities that create, receive, maintain, or transmit PHI for a covered entity.  It is significant that this definition now includes subcontractors of business associates and entities that maintain PHI.   By adding this language, HHS clarified that you can have a “business associate of a business associate” and that business associates who use subcontractors for functions involving PHI will need to enter into business agreements with those subcontractors.   Further, based on the addition of the word “maintain” to the definition, covered entities should require off-site records storage facilities or cloud storage providers, who maintain PHI, to sign business associate agreements.

The OCR has published a form business associate agreement on its website, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html, incorporating the new HIPAA Omnibus Rule.  A sample business associate agreement is also attached to this memo.  Providers should compare their existing templates to these new forms, or adopt one of the forms as their new agreement.  Business associates should require applicable subcontractors to sign business associate agreements that track the new form and in addition to addressing the terms of the business associate agreement with the covered entity.

Liability for Business Associates

One of the important clarifications under the HIPAA Omnibus Rule relates to covered entities’ liability for the conduct of their business associates.  Prior to the promulgation of the HIPAA Omnibus Rule, it was unclear whether covered entities could be held liable for their business associates’ HIPAA violations if the covered entity had an appropriate business associate agreement in place and took reasonable steps to address breaches.  The HIPAA Omnibus Rule clarified that a covered entity can indeed be held liable for the acts or omissions of its business associates that are acting as the covered entity’s “agent,” as determined under the federal common law of agency.  This agent liability also extends to a business associate for the actions or omissions of its subcontractors.

Whether an agency relationship exists under federal common is a fact specific inquiry.  While there are many factors to consider, HHS has indicated that the essential factor in determining whether an agency relationship exists is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.  Ultimately, the more discretion and independence the business associate has in performing functions for the covered entity, the less likely it is that an agency relationship exists.

HIPAA Privacy Policies and Procedures

Providers must update privacy policies and procedures to address changes made by the HIPAA Omnibus Rule in the following areas:

  • Individual rights:  If an individual requests a digital copy of certain electronic PHI or directs a provider in writing to transmit a copy to another person, the provider generally must produce the information in the format requested if readily producible within 30 days or negotiate an alternative format.   Further, if an individual requests that a copy of his or her PHI be sent via unencrypted email, then a provider is permitted to do so, as long as the covered entity has advised the individual of the risks and the individual still prefers the unencrypted email.
  • Patient’s Right to Request Restrictions:  A provider must comply with an individual’s request for restrictions on disclosures made to health plans for payment or health care operations purposes if the PHI pertains to an item or service for which the individual paid completely out-of-pocket.
  • Marketing:  A provider must obtain written authorization to use and disclose PHI for marketing purposes, including most non-face-to-face communications when the provider receives payment to make the communication.  If payment is involved, the marketing authorization must disclose the fact.  However, a provider may inform a patient about a third party’s product or service without the patient’s written authorization when the provider receives no compensation for the communication; the communication is face-to-face; the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication; and the communication involves general health promotion.  A provider is also still permitted to give patients promotional gifts of nominal value (e.g., pamphlet).
  • Fundraising:  A provider now may disclose more information to institutionally-related foundations for fundraising, but they must explain how the recipient may opt out of receiving future fundraising communications.  If an individual opts-out, the provider must not make any further communications to the individual.
  • Research:   If a provider engages in research, the provider should review the new standards applicable to research.
  • Sale of PHI:  A provider must obtain authorization if the provider receives direct or indirect remuneration (including nonfinancial) in exchange for the disclosure of or access to PHI.  The authorization must state the provider is receiving remuneration in exchange for the PHI.  There are several exceptions that apply (e.g., public health activities, treatment, and payment). 
  • Deceased Persons:   A provider may make relevant disclosures to the deceased’s family and friends under essentially the same circumstances that such disclosures were permitted when the patient was alive; that is, when these individuals were involved in providing care or payment for care and the provider is unaware of any expressed preference to the contrary.  The HIPAA Omnibus Rule also eliminates any HIPAA protection for PHI 50 years after a patient’s death.

               

New patients receive FREE class IV therapeutic laser treatment.

Office Hours

Our Regular Schedule

Monday:

9:00 am-12:00 pm

2:30 pm-6:00 pm

Tuesday:

9:00 am-12:00 pm

2:30 pm-6:00 pm

Wednesday:

9:00 am-12:00 pm

2:30 pm-6:00 pm

Thursday:

9:00 am-12:00 pm

2:30 pm-6:00 pm

Friday:

9:00 am-12:00 pm

Closed

Saturday:

Closed

Sunday:

Closed

Locations

Find us on the map

Testimonial

Review By Our Satisfied Patient

  • "I have never had anything but excellent service each visit. Dr. Eric takes his time with each client and is very thorough. He always has suggestions to follow to have a healthier lifestyle."
    Genea D Omaha, NE

Featured Articles

Read about interesting topics

  • The 5 Senses

    The 5 Senses The five senses, that is, the sense of sight, touch, hearing, taste, and smell, provide us with necessary information regarding the world around us.1 These precious capabilities enable us to navigate our environment with seemingly instantaneous feedback with reference to our actions and ...

    Read More
  • The Benefits of Sleep for Adults

    Obtaining sufficient restful sleep is an essential requirement for optimal human productivity. Such a practice is a key component of a healthy lifestyle, which includes a nutritious diet, regular vigorous exercise, and a positive mental attitude. How much sleep one needs varies from person to person. ...

    Read More
  • Back to School and Mental Wellness

    Summer is a subjectively fleeting season and school days are upon us once again. For children, this bittersweet time marks the completion of a period of relative freedom and the beginning of a new set of responsibilities. For adults, the onset of late summer and early fall signals yet another turn of ...

    Read More
  • Repetitive Motion Injuries

    A repetitive motion injury (or overuse injury) involves doing an action over and over again, as with a baseball pitcher throwing a baseball, a tennis player hitting a tennis ball, typing at a computer keyboard, and most notoriously, typing with your thumbs on the tiny keypad of your phone. It may be ...

    Read More
  • Left-Handers Day

    Left-Handers Day Left-Handers Day, celebrated on August 15th, was launched in 1992 by the Left-Handers Club, an organization based in the United Kingdom. Since then, Left-Handers Day has become a worldwide event and social media phenomenon. Around the world, approximately one in ten persons is left-handed. ...

    Read More
  • Peak Experiences

    Peak Experiences The American philosopher and naturalist Henry David Thoreau roamed far and wide over the hills and mountains of his native Massachusetts and neighboring New Hampshire. In his masterwork, "Walden," Thoreau famously stated that we must "reawaken and keep ourselves awake, not by mechanical ...

    Read More
  • Dynamic Warm-ups

    In a common occurrence, you bend over to pick up the pencil you inadvertently dropped on the floor. Or you bend over to pick up the soap bar that has slipped through your fingers in the shower. Or you bend over to lift a bag of groceries out of your automobile trunk. These are all daily events. But on ...

    Read More
  • Summer Sports

    Summer Sports In the summertime, everyone's thoughts turn to the outdoors. We want to get out in the sun and have some fun. Some people do exercise outdoors, such as running, walking, and biking, all year long regardless of the weather.1 For others, summer's warmer temperatures make activity outside ...

    Read More
  • Wellness Gardens

    Wellness Gardens When time is spent in an office or indoors day in and day out, some can lose that connection to the outside world. And that loss of connection can lead to higher stress levels and more health ailments without even realizing it. But when that the gap between office life and outdoor life ...

    Read More
  • Smart Shoulders

    Our shoulder joints have the greatest range of motion of any of the musculoskeletal joints in our bodies. The shoulder joint is really two joints, the glenohumeral joint between the arm bone (humerus) and the shoulder blade (scapula) and the acromioclavicular joint between the acromion (a bony projection off the scapula) and the collarbone (clavicle). The glenohumeral joint is a ball-and-socket joint and the acromioclavicular joint is a gliding joint. ...

    Read More

NEWSLETTER SIGNUP

Sign up for more articles