The Newsletter for SUNY Downstate
University Hospital of Brooklyn
ISSUE 16 SEPTEMBER 2013
Get on the HIPAA (Omni)bus
Have you done your HIPAA training yet? All Downstate employees must refresh their training to ensure compliance with new HIPAA regulations put into effect by the "Omnibus Rule" issued by the Department of Health and Human Services.
The Omnibus Rule – named for its sweeping scope – makes notable changes to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Refresher training must be completed by September 23, 2013.
You can access the HIPAA training module from Downstate's home page. If you haven't yet received your password, talk to your supervisor.
Here are the Rule's key changes:
Applies HIPAA rules to business associates (BAs) and subcontractors
BAs of DMC are now directly liable and must abide by the HIPAA Security standards as well as certain aspects of the Privacy rule. BAs now include subcontractors, Patient Safety Organizations, health exchange organizations and personal health record vendors with whom Downstate provides routine access to PHI.
A new SUNY DMC template Business Associate Agreement (BAA) is in place and is to be utilized for contractual understanding of the new requirements between DMC and its vendors.
Updates Civil Monetary Penalty Provisions
New focus on willful neglect. Additionally, civil and monetary penalties may be levied against BAs for failure to comply.
Communications - for treatment, payment, operations or otherwise – involving financial remuneration from a third party whose product or service is being described now require patient authorization.
Expands the PHI that a covered entity may use without authorization from the patient for fundraising.
Notice of Privacy
Enhances patient rights and requirements outlined in the Notice of Privacy Practices (NPP). DMC will be revising its NPP for distribution to patients.
Out of Pocket Payments
Expands the rights of individuals to restrict disclosure of PHI to their health plan when services are paid out of pocket.
Research purposes included in an authorization no longer need to be study specific, allowing for use in future research.
Modifies Breach Notification Requirements
New rules for implicating breach notification requirements. Instead of "significant risk of harm" determination, entities must demonstrate a low probability of data compromise to be exempt from reporting. This will mean many more reported incidents.