HIPAA Omnibus ApplicationCurious as to how the new rules included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013.

The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas:

1. Privacy, Security, and Breach Notification Policies and Procedures

  • You now must notify affected patients if there is a protected health information (PHI) breach unless—after completing a risk analysis—you determine that there is a “low probability of PHI compromise.”
  • If a patient has paid out-of-pocket, you must honor that patient’s request not to disclose information to a health plan about his or her care, unless it is to further treatment or is required by law (which is rare).
  • You may only tell a patient about a third-party product or service if that patient provides you with written authorization, unless—generally speaking—the communication: 
    • doesn’t result in you receiving compensation;
    • takes place face-to-face;
    • involves medication the patient is currently prescribed (from which you’re not making a profit);
    • involves general health promotion (rather than the promotion of a specific product or service); or
    • involves government-sponsored programs.
  • You may not sell a patient’s PHI without express written authorization from the patient—this includes licenses, lease agreements, and the receipt of financial (or similar) benefits as well as research if there is any profit to be had. (This restriction does not apply to reasonable cost-based fees associated with permitted disclosures.)
  • You may make relevant PHI disclosures to a deceased patient’s family and friends in the same way you would if the patient was alive: if the family member or friend was involved in providing care or payment for care and you do not know of any preference otherwise. Also, HIPAA protection ceases 50 years after a patient passes away.
  • You must provide a patient with his or her PHI within 30 days of receiving a written request (preferably sooner) regardless of whether the information is in paper or electronic form. If for some reason you cannot reasonably comply, you may take one 30-day extension. However, you must respond to the patient with an explanation as to why it is taking you more than 30 days and when he or she can expect to receive the information. For electronic records, you must provide the information in the format that the patient requests it as long as the records are “readily reproducible” in that format. If they aren’t, you must provide the records in a mutually agreeable electronic format. Paper copies are only permissible if the requestor rejects all other “readily reproducible” electronic formats.
  • You are allowed to charge an individual for copies, including labor and supply costs. However, you may not make a profit nor charge more than your state law allows.
  • You may not send PHI in unencrypted emails unless you advise a patient of the risk and he or she still requests the information in that form.

2. Notice of Privacy Practices (NPP)

Be sure to amend your NPP to reflect these changes and make it available at your office to all new patients and any existing ones upon request. If you maintain a website, you should have this notice posted there as well.

3. Business Associate (BA) Agreements

This new ruling expanded the definition of a Business Associate to include Patient Safety Organizations and those involved with patient safety, health information organizations (like health information exchanges), and personal health record vendors. So, review your relationship with all of your vendors that create, receive, store, maintain, or transmit PHI on your behalf to determine if you need to enter into new BA Agreements before September 23, 2013. This new ruling also changes the nature of the BA Agreements so that now:

  • You (as the provider) no longer need to report the failures of your BA to the government—when it’s not feasible to terminate the agreement—because the BA is liable for the violation.
  • BAs are responsible for their subcontractors.
  • BAs must comply with the Security and Breach Notification Rules.
  • You (as the provider) are liable for the actions of your BAs who are agents, but not those who are independent contractors.

Also, as part of this final ruling, HHS passed the 2009 proposed increase in monetary penalties for civil (unintentional) breaches. This means that you could be looking a $50,000 penalty for each violation. See the table below that we modified from page 5583 of the Federal Register, and trust us: you don’t even want to know the penalties for criminal breaches.


Violation category--Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year
(A) Did Not Know $100–$50,000  $1,500,000 
(B) Reasonable Cause  $1,000–$50,000 $1,500,000 
(C)(i) Willful Neglect-Corrected $10,000–$50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000

So to sum up: What does this new ruling mean for you? It means you better protect PHI—carefully. Not only is this extremely important to your patients’ well being—how would you like it if your personal health information was being broadcast at the water cooler or used to discriminate against you?—it’s also crucial to the financial stability of your practice.


How is your clinic preparing to be compliant with the new HIPAA ruling? Tell us in the comments below.


Note: We do our best to summarize our understanding of these rulings at the time that we publish our posts; but there’s a lot of information out there—and a lot that changes. As always, we recommend that you speak with a compliance consultant or health care attorney for compliance and legal advice as this article is meant for general educational purposes only. For more information on what to look for in a compliance expert, check out this post.

Unwrapping MIPS and the Final Rule: How to Prepare for 2019 - Regular BannerUnwrapping MIPS and the Final Rule: How to Prepare for 2019 - Small Banner
  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • webinarAug 13, 2013

    Rehab Therapy Industry News

    In July, we hosted a webinar focused on rehab therapy industry news. This session covered an array of newsworthy and timely topics, including: Functional limitation reporting and other Medicare regulations Changes to HIPAA regulations Direct access Branding PT to general consumers ICD-10

  • articleAug 1, 2012 | 4 min. read

    Holy Autonomy, Batman! It’s Compliance!

    Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. Autonomy, direct access, and respect. We all know the fight—in fact, at this point these three words have become more like a rehab therapist mantra. But we get the sneaking suspicion that not everyone really understands what these words means. Today, let’s tackle autonomy. For a dictionary definition , autonomy means: “independence or freedom, as of the will or one's actions: the autonomy of the individual.” …

  • ICD-10: Fact or Fiction Image

    articleApr 3, 2014 | 5 min. read

    ICD-10: Fact or Fiction

    As with any major change, the rumor mill churns at a mighty pace. With all the hearsay, telephone games, and disbursement of misinformation, it’s easy for the myths to swallow the truth. No worries, though; we’re here to sort the fact from the fiction. Fiction: Coders will spend an overwhelming amount of time dealing with external cause codes. Fact: From being struck by an orca to getting injured while crocheting, Chapter 20 of the ICD-10-CM Manual , …

  • Live from CSM: Leading the Way in Healthcare Reform and Women’s Empowerment Image

    articleFeb 6, 2015 | 15 min. read

    Live from CSM: Leading the Way in Healthcare Reform and Women’s Empowerment

    Temperatures here in Indianapolis have finally broken the freezing mark, with today’s predicted high at a balmy 40 degrees. But that warming trend isn’t limited to the brisk Midwest air. Things also are heating up inside of the Indiana Convention Center, where thousands of physical therapy professionals and students have converged for the APTA’s 2015 Combined Sections Meeting (CSM). There’s no shortage of hot issues on the radar for the physical therapy industry this year—and CSM’s jam-packed …

  • 5 Things PTs Need to Know About Telehealth in 2016 Image

    articleJan 5, 2016 | 4 min. read

    5 Things PTs Need to Know About Telehealth in 2016

    In 2015, lawmakers at both the federal and state levels recognized—and took action to alleviate—the lack of readily available and affordable healthcare options: namely, through legislation that opened the door for telehealth expansion. In fact, this Medscape article reveals that in the last year alone, “200 bills addressing telehealth were introduced in 42 states.” That’s a lot of legislative legwork. And while we can’t shrink and teleport healthcare providers through a television— Willy Wonka-style —quite yet, the …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.