HIPAA Omnibus Rule Checklist

The Omnibus Rule was introduced in 2013 as a way to amend the HIPAA privacy and security rules requirements, including changes to the obligations of business associates regarding the management of PHI.

The rule merges the following four separate rule makings:

• Amendments to HIPAA Privacy and Security rules requirements
• HIPAA and HIPAA HITECH under one rule now
• Further requirements for data breach notifications and penalty enforcement
• Approving the regulations in regards to the HITECH Act’s breach notification rule

The Omnibus rule includes regulations that will:

• Manage the use of patient information in marketing
• Includes a provision that requires healthcare providers to report data breaches that are deemed not harmful
• Makes certain that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA

Although all healthcare institutions had to make changes and adhere to the Omnibus Rule when it was implemented, this checklist provides you with an easy way to evaluate compliance on a periodic basis.

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

First, enter some basic details regarding your organization.

In order to properly evaluate your compliance with the HIPAA Omnibus Rule, you must designate a privacy and security official to lead and manage the effort.

Enter their contact details in the form fields below.

In short, the Omnibus Rule means that Business Associates (BA's) are now directly liable for any non-compliance and any fines associated with HIPAA non-compliance.

For example, the following rules are enforced:

• Business associate agreements (BAA's) and policies and procedures must address the prohibition on the sale of patients' PHI without permission.
• Covered entities' business associate agreements and policies and procedures must address the expanded rights of individuals to restrict disclosures of PHI.

All of your BAA's must be updated to reflect these new changes. 

The Omnibus Rule also changed the definition of a BA. Read through this document to see exactly what changed.

You can attach and/or link to your updated BAA's below. 

In addition to BAA's, you also need to update your Notice of Privacy Practices to reflect new regulations implemented by the Omnibus Rule. 

Covered entities' Notice of Privacy Practices forms need to inform patients that they will be notified if their PHI is subject to a breach. NPP's must also inform individuals that a covered entity may contact them to raise funds, and the individual has a right to opt out of receiving such communications. - Molly Gamble, Becker's Hospital Review

The changes that need to be made to NPPs can be summarized as:

• The Omnibus Rule requires that the health plan NPP state that use and disclosure of PHI for marketing and use and disclosure that constitute a sale of PHI require authorization.
• The NPP must include a statement that other uses and disclosures not described in the NPP will be made only with authorization.
• The NPP must state that an individual has a right to or will receive notifications of breaches of unsecured PHI.
• The NPP must state that genetic information cannot be used or disclosed for underwriting purposes.

You can attach and/or link to your updated NPP below.

The Omnibus Rule amends the definition of breach to clarify that the impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach and breach notification is necessary unless a covered entity or business associate can demonstrate, through a documented risk assessment, that there is a low probability that the PHI has been compromised.

The Omnibus Rule identifies four factors that must be considered in a risk assessment:

• The nature and extent of the PHI involved;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI actually was acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

Update your breach notification compliance plan to reflect the new changes. 

You can attach and/or link to your updated plan below.

Process Street has built a HIPAA Security Breach Reporting Checklist that you can run immediately if you are facing a breach. 

Click here to learn more about the changes made to the breach notification rule

In order to comply with the HIPAA Omnibus Rule, you must update the patient medical record request form to include the option of providing an electronic copy to the patient.

You can attach and/or link to the updated patient medical record request form below.

Redraft HIPAA policies and procedures to address the changes in the the following documents:

You can attach and/or link to the updated HIPAA policies and procedures document below.

PHI must be encrypted to federal standards, though what this means exactly remains intentionally ambiguous. 

This is in large part due to the technical safeguards relating to the encryption of PHI are defined as “addressable” requirements.

Ultimately, it comes down to the findings gathered from conducting a risk analysis of PHI security. 

The HIPAA Security Rule allows covered entities to transmit ePHI via email over an electronic open network, provided the information is adequately protected. HIPAA-covered entities must decide whether or not to use encryption for email. That decision must be based on the results of a risk analysis. The risk analysis will identify the risks to the confidentiality, integrity, and availability of ePHI, and a risk management plan must then be developed to reduce those risks to an appropriate level. - HIPAA Journal, HIPAA Encryption Requirements

Once a communication containing PHI goes beyond a covered entity's firewall, encryption becomes an addressable safeguard that must be dealt with. This applies to any form electronic communication – email, SMS, instant message, etc.

In the form field below, provide a summary of the measures your organization has taken to encrypt PHI to federal standards.

You can also attach and/or link to relevant documentation.

In addition to encrypting PHI, you need to ensure that your Electronic Health Record (EHR) is certified. 

The Center for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) have placed standards that will certify your EHR if you have acquired have the necessary technical capabilities and security safeguards.

EHR systems must include access controls such as passwords which help limit the access to patients’ confidential information.

The introduction of the Omnibus Rule brought in new, stricter restrictions when it comes to marketing PHI. 

To learn more about the marketing restrictions that have been put in place, read this article by the HIPAA Journal. 

It is essential that you perform ongoing employee training to make sure all staff members are aware of the rules and regulations laid out by the Omnibus Rule, and are performing their duties accordingly. 

Enter the date of the most recent training session below for record-keeping purposes

All training must be documented. This is incredibly important in the event of an external audit or investigation.

HIPAA requires that training be documented.  It doesn’t say much else on how training must be documented.  In the event of an OCR investigation or audit, it is best to be able to produce the content of the training as well as when it was administered, to whom, and how frequently.  You should also keep track of who completed it successfully and what successful completion entailed. - TeachPrivacy

 You can attach and/or link to training documentation below. 

• HealthITSecurity - HIPAA Omnibus Rule compliance checklist for CEs, BAs
• Cooperative of American Physicians - HIPAA Omnibus Rule Checklist
• HIPAA Survival Guide - HIPAA Omnibus Rule
• Dental Enhancements Inc. - HIPAA Omnibus Rule Checklist of Requirements
• Holland & Hart - HIPAA Omnibus Rule: Checklist for Compliance
• Bricker & Eckler - Analysis of Final HIPAA Omnibus Rule: Business Associates and Business Associate
• Cynergistek - Are Your Business Associate Agreements Compliant With The Omnibus Rule?

• HIPAA Compliance Checklist for HR
• HIPAA Privacy Risk Assessment Checklist
• HIPAA Security Breach Reporting Checklist
• HIPAA Business Associate Agreement Checklist
• HIPAA Data Backup Plan Checklist
• Patient Intake Checklist for a Medical Clinic
• Patient Intake Checklist for a Dental Clinic
• Patient Satisfaction Survey Checklist
• Hospital Housekeeping Checklist
• Terminal Room Cleaning Checklist
• Hospital Safety Inspection Checklist
• General Infection Control Checklist
• Patient Satisfaction Survey Checklist
• Home Visit Checklist
• Mental Health Risk Assessment Checklist
• WHO Surgical Safety Checklist
• HIPAA Compliance Checklist
• COVID-19 Procedure: Isolation Area Management
• COVID-19 Procedure: Disinfection Procedures for COVID-19 Isolation Ward Area
• COVID-19 Procedure: Lung Transplantation Pre-Transplantation Assessment
• COVID-19 Procedure: Nursing Care During Treatment (ALSS)
• COVID-19 Procedure: Protocol for Donning and Removing PPE
• COVID-19 Procedure: Staff Management (Workflow and Health)
• COVID-19 Procedure: Daily Management and Monitoring of ECMO Audit
• COVID-19 Procedure: Digital Support for Epidemic Prevention and Control
• COVID-19 Procedure: Discharge Standards and Follow-up Plan for COVID-19 Patients
• COVID-19 Procedure: Disinfection of COVID-19 Related Reusable Medical Devices
• COVID-19 Procedure: Disinfection Procedures for Infectious Fabrics of Suspected or Confirmed Patients
• COVID-19 Procedure: Disposal Procedures for COVID-19 Related Medical Waste
• COVID-19 Procedure: Disposal Procedures for Spills of COVID-19 Patient Blood/Fluids
• COVID-19 Procedure: Procedures for Handling Bodies of Deceased Suspected or Confirmed Patients
• COVID-19 Procedure: Procedures for Taking Remedial Actions against Occupational Exposure to COVID-19
• COVID-19 Procedure: Surgical Operations for Suspected or Confirmed Patients