This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
● HIPAA Omnibus Rule Don’t ask,

don’t tell How the Omnibus Final Rule assigns responsibility for safeguarding protected health information (PHI). By Chris Davis

health information (ePHI) on behalf of covered entities (i.e. healthcare providers) are making nuanced arguments that HIPAA does not apply to them.


lthough the Omnibus Final Rule attempts to make it clear in its broad defi nition of who is and who is not a business associate (BA), some IT service providers that handle electronic protected

Chris Davis is

compliance solutions architect, Verizon. For more on Verizon: www.rsleads. com/307ht-202

One of the arguments revolves around encrypted ePHI. 87.3%87.3%

Percentage of practices that can handle an entire day's worth of

reminders in less than one hour. SAVE YOUR STAFF TIME.

PHONE, TEXT & EMAIL REMINDERS Ask about our free texting incentive

★ ★ 877.259.0658


Wherein the service provider does not have access to the decryption key – and if the service provider doesn’t know what’s inside the encrypted data – then the service provider cannot take responsibility for its contents. Other service providers are simply refusing to be considered a business associate, and do not provide a means for covered entities to discuss the nature of the data stored or processed on the provider’s servers. Either way, it amounts to a kind of “Don’t ask, don’t tell” for health IT, a practice in stark contrast to the intent of the Omnibus Rule, which goes into eff ect Sept. 23, 2013, with stiff penalties for those who do not comply. T e problem with this thinking is that it takes a myopic view of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule as well as the Omnibus Final Rule. From an outsider’s perspective, “security” in the context of HIPAA is typically translated as “protecting ePHI against data breaches.” Hence, from this perspective, if the ePHI is encrypted, it is highly unlikely that an unauthorized person can gain access to this information. But HIPAA security is not only about protecting ePHI against unauthorized access. Equally important is ensuring that ePHI is available to authorized individuals upon request to provide care.

Service providers doing business with covered entities need to realize that they are responsible for ePHI – no matter the form – and that they too may be held accountable at the discretion of the Department of Health and Human Services.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46