HIPAA Omnibus ApplicationCurious as to how the new rules included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013.

The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas:

1. Privacy, Security, and Breach Notification Policies and Procedures

  • You now must notify affected patients if there is a protected health information (PHI) breach unless—after completing a risk analysis—you determine that there is a “low probability of PHI compromise.”
  • If a patient has paid out-of-pocket, you must honor that patient’s request not to disclose information to a health plan about his or her care, unless it is to further treatment or is required by law (which is rare).
  • You may only tell a patient about a third-party product or service if that patient provides you with written authorization, unless—generally speaking—the communication: 
    • doesn’t result in you receiving compensation;
    • takes place face-to-face;
    • involves medication the patient is currently prescribed (from which you’re not making a profit);
    • involves general health promotion (rather than the promotion of a specific product or service); or
    • involves government-sponsored programs.
  • You may not sell a patient’s PHI without express written authorization from the patient—this includes licenses, lease agreements, and the receipt of financial (or similar) benefits as well as research if there is any profit to be had. (This restriction does not apply to reasonable cost-based fees associated with permitted disclosures.)
  • You may make relevant PHI disclosures to a deceased patient’s family and friends in the same way you would if the patient was alive: if the family member or friend was involved in providing care or payment for care and you do not know of any preference otherwise. Also, HIPAA protection ceases 50 years after a patient passes away.
  • You must provide a patient with his or her PHI within 30 days of receiving a written request (preferably sooner) regardless of whether the information is in paper or electronic form. If for some reason you cannot reasonably comply, you may take one 30-day extension. However, you must respond to the patient with an explanation as to why it is taking you more than 30 days and when he or she can expect to receive the information. For electronic records, you must provide the information in the format that the patient requests it as long as the records are “readily reproducible” in that format. If they aren’t, you must provide the records in a mutually agreeable electronic format. Paper copies are only permissible if the requestor rejects all other “readily reproducible” electronic formats.
  • You are allowed to charge an individual for copies, including labor and supply costs. However, you may not make a profit nor charge more than your state law allows.
  • You may not send PHI in unencrypted emails unless you advise a patient of the risk and he or she still requests the information in that form.

2. Notice of Privacy Practices (NPP)

Be sure to amend your NPP to reflect these changes and make it available at your office to all new patients and any existing ones upon request. If you maintain a website, you should have this notice posted there as well.

3. Business Associate (BA) Agreements

This new ruling expanded the definition of a Business Associate to include Patient Safety Organizations and those involved with patient safety, health information organizations (like health information exchanges), and personal health record vendors. So, review your relationship with all of your vendors that create, receive, store, maintain, or transmit PHI on your behalf to determine if you need to enter into new BA Agreements before September 23, 2013. This new ruling also changes the nature of the BA Agreements so that now:

  • You (as the provider) no longer need to report the failures of your BA to the government—when it’s not feasible to terminate the agreement—because the BA is liable for the violation.
  • BAs are responsible for their subcontractors.
  • BAs must comply with the Security and Breach Notification Rules.
  • You (as the provider) are liable for the actions of your BAs who are agents, but not those who are independent contractors.

Also, as part of this final ruling, HHS passed the 2009 proposed increase in monetary penalties for civil (unintentional) breaches. This means that you could be looking a $50,000 penalty for each violation. See the table below that we modified from page 5583 of the Federal Register, and trust us: you don’t even want to know the penalties for criminal breaches.


Violation category--Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year
(A) Did Not Know $100–$50,000  $1,500,000 
(B) Reasonable Cause  $1,000–$50,000 $1,500,000 
(C)(i) Willful Neglect-Corrected $10,000–$50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000

So to sum up: What does this new ruling mean for you? It means you better protect PHI—carefully. Not only is this extremely important to your patients’ well being—how would you like it if your personal health information was being broadcast at the water cooler or used to discriminate against you?—it’s also crucial to the financial stability of your practice.


How is your clinic preparing to be compliant with the new HIPAA ruling? Tell us in the comments below.


Note: We do our best to summarize our understanding of these rulings at the time that we publish our posts; but there’s a lot of information out there—and a lot that changes. As always, we recommend that you speak with a compliance consultant or health care attorney for compliance and legal advice as this article is meant for general educational purposes only. For more information on what to look for in a compliance expert, check out this post.

Triumph in the Triple-Aim Game: The Healthcare Executive’s Guide to Readmission Reduction, Patient Safety Promotion, and ACO Success - Regular BannerTriumph in the Triple-Aim Game: The Healthcare Executive’s Guide to Readmission Reduction, Patient Safety Promotion, and ACO Success - Small Banner
  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • webinarAug 13, 2013

    Rehab Therapy Industry News

    In July, we hosted a webinar focused on rehab therapy industry news. This session covered an array of newsworthy and timely topics, including: Functional limitation reporting and other Medicare regulations Changes to HIPAA regulations Direct access Branding PT to general consumers ICD-10

  • ICD-10: Fact or Fiction Image

    articleApr 3, 2014 | 5 min. read

    ICD-10: Fact or Fiction

    As with any major change, the rumor mill churns at a mighty pace. With all the hearsay, telephone games, and disbursement of misinformation, it’s easy for the myths to swallow the truth. No worries, though; we’re here to sort the fact from the fiction. Fiction: Coders will spend an overwhelming amount of time dealing with external cause codes. Fact: From being struck by an orca to getting injured while crocheting, Chapter 20 of the ICD-10-CM Manual , …

  • articleAug 1, 2012 | 4 min. read

    Holy Autonomy, Batman! It’s Compliance!

    Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. Autonomy, direct access, and respect. We all know the fight—in fact, at this point these three words have become more like a rehab therapist mantra. But we get the sneaking suspicion that not everyone really understands what these words means. Today, let’s tackle autonomy. For a dictionary definition , autonomy means: “independence or freedom, as of the will or one's actions: the autonomy of the individual.” …

  • Top Regulatory Changes of 2014 Image

    articleDec 22, 2014 | 3 min. read

    Top Regulatory Changes of 2014

    Ch-ch-ch-changes : We’ve seen a plethora of regulatory changes this year in the PT space—from the ICD-10 delay to the therapy cap increase. Although some of these legislative twists and turns have caused headaches for therapists, others have been hugely positive. For instance, some form of direct access is now available in all 50 states as well as Washington, DC, and the US Virgin Islands. Read on to learn this year’s top regulatory changes. Regulatory Heavy-Hitters of …

  • articleJan 26, 2011 | 2 min. read

    IOM listen to stakeholders regarding rehabilitaiton standards

    As a part of essential health benefits to be established under the Health Care Exchanges it is important that the IOM consider benefits' coverage decisions based on effectiveness over cost. and determine essential health benefits based on a national standard of evidence-based medicine divorced from politics and policymakers' influence. Last week at a meeting held by the Institute of Medicine (IOM) and attended by APTA, rehabilitation stakeholders presented on mandatory rehabilitation and habilitation services as a part …

  • Social Media, HIPAA, and You Image

    articleSep 11, 2014 | 5 min. read

    Social Media, HIPAA, and You

    At this point, who doesn’t use some form of social media?  I’m not very technologically savvy, but even I have social media accounts—they’re great for staying in touch with my family on the west coast. Of course, when it comes to how I use my personal account, I still must use discretion regarding what I post. For example, I have a Labrador retriever. We brought her to the beach with us for vacation, and she loves to …

  • articleDec 21, 2010 | 2 min. read

    APTA defines "essential" in the context of essential benefits

    What is your interpretation of the word “essential” in the context of an essential benefit package? The official response from APTA: “Essential,” in the context of essential benefits provided under insurance plans, should mean benefits that are available and accessible to all individuals with coverage without increased premiums and co-payments. Essential benefits include, but are not limited, to preventing the spread of disease, improving and/or eradicating certain medical conditions or disease states, improving and minimizing the effects …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.