Home » Advisory Panel » Currently Reading:

Advisory Panel: HIPAA Omnibus Rule

July 3, 2013 Advisory Panel 4 Comments

The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question this time: Are your organization’s executives paying a lot of attention to the HIPAA Omnibus Rule or is it just business as usual?

It has been difficult to get executive attention on HIPAA security topics in general. We are going to use the HIPAA Omnibus rule to kick start a new education and training program across the entire organization. We will start with executives first.

Pretty much business as usual.

No, or if they do, we are not aware of it, which is just the same. Business as usual — the yearly training from a hired overpaid consultant so we can check the box for compliance.

[vendor member response] We are paying a lot of attention. As part of a recent acquisition, we are now part of a larger organization that is working to extend coverage of HIPAA, HITECH, and the BAA more broadly.

Business as usual.

It’s primarily business as usual, however, there are some provisions of the rule that may require us to revisit many of our third-party contracts. That has the potential to be a major endeavor, so it is something we are evaluating now.

Business as usual.

IT executives are because we are also on the hook for data security. The ability to not share data on specific encounters defined by payer type (insurance vs. self pay) concerns me a lot. I am not sure the HIS/ EMR/ EHR vendors are ready. I can’t say any of our other executives have even read a brief on the Omnibus rule.

[vendor member response] We are very concerned about the increased risk/liability for breaches. This is a big concern when using contractors. Our clients are not knowledgeable about the changes and truly not focused on it at all. On the ambulatory side of things, practices, even larger ones, are so swamped with EMR/EHR, and revenue loss from managed care that they consider HIPAA a done deal.

No. They are not at all, even after several attempts to raise awareness.

The organization is ignoring the rule, but the expectation is that IT and HIM stay on top of it. I don’t have a problem with that and so IT/HIM are finishing up our changes in order to comply.

We hired a CISO out of the military with a background in technology security. She makes sure the execs are paying attention. We have a team that consists of privacy officer, corporate compliance, audit, and CISO. They meet regularly to address all aspects of HIPAA and HITECH requirements including education.

It is business as usual with no real interest from the senior team or the board.

Our Privacy & Security Officer are, and they’re slowly getting the attention of leadership. We addressed a lot of the changes in the proposed rule, so we don’t have as much to address as we would otherwise.

Business as usual.

[vendor member response] Within our customer base I am seeing customers starting to pay attention to making sure all BAAs are updated and signed. However, I have had a couple of folks tell me there is no ‘hurry, since we have until early fall to totally comply.” I personally am not hearing of any urgency to meet the rule within any conversations I am having at the executive level. I am hoping that urgency is there just not being expressed to me!

Business as usual.

Some attention — trying understand implications…

Except for Compliance, Legal, and IT, it hasn’t had a lot of attention. Many vendors, especially small to mid-sized cloud hosting vendors, have not fully realized the implications.

Appropriate attention has been paid by those over that area.

Our executives have reviewed the rule to see where we need to comply and what actions to take.

Yes.  his has been an agenda item for our executive-level compliance, privacy steering committee. As a result we’ve modified our business associate agreement, are in process of rewriting notice of patient’s right to privacy, same with data breach evaluation criteria.

Just business as usual.  Haven’t heard it come up even once.

Business as usual.

Business as usual. We are overwhelmed right now with MU and NCQA. So many regulations, such limited staff to execute.

If anyone is paying attention to this, it is hard to tell.

More of business as usual. The interpretations and evasions are so vast and pandemic that it more of a series of workarounds than a policy.

All with active BAAs are being touched. Mail-merged form letter, follow-up phone call, lawyer letter if still no response.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there are "4 comments" on this Article:

  1. Wow. Those are some scary answers. Maybe you’d be doing all of us a favor by developing a HIPAA Omnibus Rule 101 series for HISTalk!!!!

  2. I think there is still considerable confusion and aversion over the definition of Business Associate. In the previous rendition of HIPAA, business partners were fine signing the BA because they had no skin in the game. Now under the new rulings there is definitely implications to being a BA. I know myself that I am starting to receive new BA Agreements now, and their BA definitions would leave any vendor who does not transmit PHI out of the equation, which I am fairly certain is not the case.

  3. From my work with vendors I think it still has not hit home. The new Rule moved them from bystanders to ‘participants’, a change that still has yet to resonate.. As with many of these regs the rubber will meet the road when one of them gets hit with that $1.5 mill fine. And given the frquency of lost/stolen thumb drives, laptops, etc, it won’t be long.

  4. Working with/for a Regional Extension Center, I spend a great proportion of my time guiding/coaching covered entities through the required HIPAA Security Risk Analysis and Incident Response team protocols/policies and procedures. HIPAA Omnibus compliance dates for Sept 23rd 2013 are top of mind for medical practices, small and critical access hospitals, rural health centers and FQHC in order to meet Stage 1/ Year 1 /2 /3 of the CMS EHR Incentive program. And living and working in Idaho, we have unfortunately received the first ever fine/penalty for a breach under 500 patients as well as the 1st fine (of $400,000.00) for over 500 patient records in 2013. It is on our minds and action plans are in motion, but there is a lot to do! Your Regional Ext Center most likely has great resources in the are of HIPAA Privacy and Security; as I am certain about the WA & ID Regional Ext Center.

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors





























































Gold Sponsors
















Reader Comments

  • Sam Lawrence: Except in this case, coding = medical billing, not development. Though the same warning may be true...
  • BeenThere: Partners will find the savings from their cuts of coders as fools gold. There are a lot of hidden costs running an outs...
  • JC: If there is not there can be. VistA has a reference lab interface that can create the manifests/labeling and such as we...
  • Tom Cornwell: Great stuff from Dr. Jayne as usual. One small typo, last sentence of second-to-last paragraph: should be 'who's' not 'w...
  • HIT Observer: What I find most interesting here, is people defending their common practices rather than truly taking this as invaluabl...
  • Bob: There's no incentive for the provider to spend time doing a price comparison for the patient. Nor is it a good use of th...
  • Peppermint Patty: Veteran - can you clarify what was "fake "? Was something made up (definition of fake) or did you disagree with Vapo...
  • Pat Wolfram: Such a refreshing article. Thanks -- there really can be a simpler version of an acute HIT implementation. But I do ...
  • Woodstock Generation: Bravo to HIStalk's Weekender recaps and other news/opinions. I read it first thing on Monday mornings..................
  • Veteran: #fakenews...

Sponsor Quick Links