Introduction:

The Omnibus Rule was introduced in 2013 as a way to amend the HIPAA privacy and security rules requirements, including changes to the obligations of business associates regarding the management of PHI.

The rule merges the following four separate rule makings:

  • Amendments to HIPAA Privacy and Security rules requirements
  • HIPAA and HIPAA HITECH under one rule now
  • Further requirements for data breach notifications and penalty enforcement
  • Approving the regulations in regards to the HITECH Act’s breach notification rule

The Omnibus rule includes regulations that will:

  • Manage the use of patient information in marketing
  • Includes a provision that requires healthcare providers to report data breaches that are deemed not harmful
  • Makes certain that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA

Although all healthcare institutions had to make changes and adhere to the Omnibus Rule when it was implemented, this checklist provides you with an easy way to evaluate compliance on a periodic basis.

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

Enter basic details

First, enter some basic details regarding your organization.

Team management:

Designate a privacy and security official

In order to properly evaluate your compliance with the HIPAA Omnibus Rule, you must designate a privacy and security official to lead and manage the effort.

Enter their contact details in the form fields below.


Amending documentation:

Update Business Associate Agreements (BAAs)

In short, the Omnibus Rule means that Business Associates (BA's) are now directly liable for any non-compliance and any fines associated with HIPAA non-compliance.

For example, the following rules are enforced:

  • Business associate agreements (BAA's) and policies and procedures must address the prohibition on the sale of patients' PHI without permission.
  • Covered entities' business associate agreements and policies and procedures must address the expanded rights of individuals to restrict disclosures of PHI.

All of your BAA's must be updated to reflect these new changes. 

The Omnibus Rule also changed the definition of a BA. Read through this document to see exactly what changed.

You can attach and/or link to your updated BAA's below. 

Update Notice of Privacy Practices (NPPs)

In addition to BAA's, you also need to update your Notice of Privacy Practices to reflect new regulations implemented by the Omnibus Rule. 

Covered entities' Notice of Privacy Practices forms need to inform patients that they will be notified if their PHI is subject to a breach. NPP's must also inform individuals that a covered entity may contact them to raise funds, and the individual has a right to opt out of receiving such communications. - Molly Gamble, Becker's Hospital Review

The changes that need to be made to NPPs can be summarized as:

  • The Omnibus Rule requires that the health plan NPP state that use and disclosure of PHI for marketing and use and disclosure that constitute a sale of PHI require authorization.
  • The NPP must include a statement that other uses and disclosures not described in the NPP will be made only with authorization.
  • The NPP must state that an individual has a right to or will receive notifications of breaches of unsecured PHI.
  • The NPP must state that genetic information cannot be used or disclosed for underwriting purposes.

You can attach and/or link to your updated NPP below.

Update breach notification compliance plan

The Omnibus Rule amends the definition of breach to clarify that the impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach and breach notification is necessary unless a covered entity or business associate can demonstrate, through a documented risk assessment, that there is a low probability that the PHI has been compromised.

The Omnibus Rule identifies four factors that must be considered in a risk assessment:

  • The nature and extent of the PHI involved;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI actually was acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Update your breach notification compliance plan to reflect the new changes. 

You can attach and/or link to your updated plan below.


Process Street has built a HIPAA Security Breach Reporting Checklist that you can run immediately if you are facing a breach. 

Click here to learn more about the changes made to the breach notification rule

Update patient medical record request form

In order to comply with the HIPAA Omnibus Rule, you must update the patient medical record request form to include the option of providing an electronic copy to the patient.

You can attach and/or link to the updated patient medical record request form below.

Redraft HIPAA policies and procedures

Redraft HIPAA policies and procedures to address the changes in the the following documents:

  • 1
    Notice of Privacy Practice
  • 2
    Business Associate Agreements
  • 3
    Security risk assessment
  • 4
    Patient medical record request form

You can attach and/or link to the updated HIPAA policies and procedures document below.

Approval: All documents updated

Will be submitted for approval:
  • Update Business Associate Agreements (BAAs)
    Will be submitted
  • Update Notice of Privacy Practices (NPPs)
    Will be submitted
  • Update breach notification compliance plan
    Will be submitted
  • Update patient medical record request form
    Will be submitted
  • Redraft HIPAA policies and procedures
    Will be submitted

PHI security:

Encrypt PHI to federal standards

PHI must be encrypted to federal standards, though what this means exactly remains intentionally ambiguous. 

This is in large part due to the technical safeguards relating to the encryption of PHI are defined as “addressable” requirements.

Ultimately, it comes down to the findings gathered from conducting a risk analysis of PHI security. 

The HIPAA Security Rule allows covered entities to transmit ePHI via email over an electronic open network, provided the information is adequately protected. HIPAA-covered entities must decide whether or not to use encryption for email. That decision must be based on the results of a risk analysis. The risk analysis will identify the risks to the confidentiality, integrity, and availability of ePHI, and a risk management plan must then be developed to reduce those risks to an appropriate level. - HIPAA Journal, HIPAA Encryption Requirements

Once a communication containing PHI goes beyond a covered entity's firewall, encryption becomes an addressable safeguard that must be dealt with. This applies to any form electronic communication – email, SMS, instant message, etc.

In the form field below, provide a summary of the measures your organization has taken to encrypt PHI to federal standards.

You can also attach and/or link to relevant documentation.

Ensure your Electronic Health Record (EHR) is certified

In addition to encrypting PHI, you need to ensure that your Electronic Health Record (EHR) is certified. 

The Center for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) have placed standards that will certify your EHR if you have acquired have the necessary technical capabilities and security safeguards.

EHR systems must include access controls such as passwords which help limit the access to patients’ confidential information.

Comply with marketing restrictions

The introduction of the Omnibus Rule brought in new, stricter restrictions when it comes to marketing PHI. 

To learn more about the marketing restrictions that have been put in place, read this article by the HIPAA Journal

Approval: PHI security

Will be submitted for approval:
  • Encrypt PHI to federal standards
    Will be submitted
  • Ensure your Electronic Health Record (EHR) is certified
    Will be submitted
  • Comply with marketing restrictions
    Will be submitted

Employee training:

Implement a privacy and security awareness training program

It is essential that you perform ongoing employee training to make sure all staff members are aware of the rules and regulations laid out by the Omnibus Rule, and are performing their duties accordingly. 

Enter the date of the most recent training session below for record-keeping purposes

Ensure all training is being documented

All training must be documented. This is incredibly important in the event of an external audit or investigation.

HIPAA requires that training be documented.  It doesn’t say much else on how training must be documented.  In the event of an OCR investigation or audit, it is best to be able to produce the content of the training as well as when it was administered, to whom, and how frequently.  You should also keep track of who completed it successfully and what successful completion entailed. - TeachPrivacy

 You can attach and/or link to training documentation below. 

Approval: Employee training

Will be submitted for approval:
  • Ensure all training is being documented
    Will be submitted
  • Implement a privacy and security awareness training program
    Will be submitted

Sources:

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.