About this iReport
  • Not verified by CNN

  • Click to view MikeManion's profile
    Posted June 27, 2014 by
    Miami, Florida

    More from MikeManion

    Magda Fariña Rodriguez Discusses New Omnibus Rule And Why Healthcare Providers Need To Pay Attention

    Magda Fariña Rodriguez, President at Health Management Solutions, Inc. located in the Miami/Fort Lauderdale Area explains how the Omnibus rule is having a significant impact on Healthcare Providers and their Cover Entities. Under the new rule, there have been some big changes. First, there is now a presumption that a breach of Protected Healthcare Information (PHI) has occurred unless the Covered Entity (CE) or Business Associate (BA) demonstrates that there’s a low probability that protected health information (PHI) has been compromised by providing a written Risk Assessment.

    This means that the burden of proof is on the medical office to conduct a risk analysis and prove that a breach did not occur. This change was made to better protect consumer’s rights. If they are unable to do this, or it is determined that indeed there was a breach, then they have to send breach notifications—first class mail—within 60 days. According to Rodriguez, the three new areas that HCP need to focus on complying with are: Privacy, Security and Breach notification, policies and procedures, Notice of Privacy Practices (NPP) and Business Associate Agreements (BAA).

    The new deadline for NPP and BAA compliance is now September 23, 2014. “This has been a long awaited process, for which those of us familiar with the evolution of the rule, and in particular larger healthcare organizations that have significant resources at their disposal, have been preparing,” Rodriguez says. She adds, “However, my concern is with the smaller individual ‘solo’ healthcare practitioners, such as dentists that are not associated with a large healthcare organization, from which to obtain training and resources, I believe they are in the dark about these changes.” Rodriguez feels that there is a language barrier in the industry because healthcare professionals don’t associate the term “Cover Entity” (CE) with themselves and they don’t know the actual definition. “They think this terminology applies only to larger organizations,” Rodriguez says, “a large majority presume they do not need to comply with this regulation (when they do).”

    Another misunderstanding she has identified is that healthcare providers think that they are HIPAA compliant because they have patients sign the “Acknowledgement Receipt of Privacy Practices” form that they created years ago when the Health Insurance Portability and Accountability Act (HIPAA) was first implemented. “They tell me,” she explains, “ ‘Yes, I am HIPAA compliant, I give my patients the form to sign.’ But, they are unaware they need to comply with the new rule that requires them to change their Business Associate Agreements (BA) and to review their associations because the new definition of BA has expanded to include subcontractors not previously included in the privacy rule. They also need to conduct annual training for all their staff and change the Notice of Privacy Practices (NPP) to comply with the new guidelines. They need to implement a Risk Management Program, designate a Security Official, have written policies and procedures, document compliance and conduct a Risk Analysis when there is a breach.”

    She explains, “Many of these Healthcare Providers and Cover Entities have no idea the level of fines involved and the fact that the Department Office for Civil Rights(OCR) will be conducting inspections starting to enforce the Rule beginning Fall 2014. For example, if they are found to be out of compliance and they did not know about the requirement then fines start at $100 and go up to $50,000. If there is reasonable cause to suspect a violation, $1000 to $50,000. If it is found to have been willful neglect to comply with the requirements, the fines start at $10,000 and go up to $50,000—even if the problems have been corrected. If the problems have been shown to be both willful neglect and they are currently uncorrected the fine is $50,000 per violation.” She adds, “The Department of Health and Human Services understands that smaller and less sophisticated practices may not be able to implement security in the same manner and cost, as larger organizations. However, cost alone is not considered an acceptable reason not to implement a procedure or measure to safeguard patient information.”
    Add your Story Add your Story