HIPAA Omnibus ApplicationCurious as to how the new rules included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013.

The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas:

1. Privacy, Security, and Breach Notification Policies and Procedures

  • You now must notify affected patients if there is a protected health information (PHI) breach unless—after completing a risk analysis—you determine that there is a “low probability of PHI compromise.”
  • If a patient has paid out-of-pocket, you must honor that patient’s request not to disclose information to a health plan about his or her care, unless it is to further treatment or is required by law (which is rare).
  • You may only tell a patient about a third-party product or service if that patient provides you with written authorization, unless—generally speaking—the communication: 
    • doesn’t result in you receiving compensation;
    • takes place face-to-face;
    • involves medication the patient is currently prescribed (from which you’re not making a profit);
    • involves general health promotion (rather than the promotion of a specific product or service); or
    • involves government-sponsored programs.
  • You may not sell a patient’s PHI without express written authorization from the patient—this includes licenses, lease agreements, and the receipt of financial (or similar) benefits as well as research if there is any profit to be had. (This restriction does not apply to reasonable cost-based fees associated with permitted disclosures.)
  • You may make relevant PHI disclosures to a deceased patient’s family and friends in the same way you would if the patient was alive: if the family member or friend was involved in providing care or payment for care and you do not know of any preference otherwise. Also, HIPAA protection ceases 50 years after a patient passes away.
  • You must provide a patient with his or her PHI within 30 days of receiving a written request (preferably sooner) regardless of whether the information is in paper or electronic form. If for some reason you cannot reasonably comply, you may take one 30-day extension. However, you must respond to the patient with an explanation as to why it is taking you more than 30 days and when he or she can expect to receive the information. For electronic records, you must provide the information in the format that the patient requests it as long as the records are “readily reproducible” in that format. If they aren’t, you must provide the records in a mutually agreeable electronic format. Paper copies are only permissible if the requestor rejects all other “readily reproducible” electronic formats.
  • You are allowed to charge an individual for copies, including labor and supply costs. However, you may not make a profit nor charge more than your state law allows.
  • You may not send PHI in unencrypted emails unless you advise a patient of the risk and he or she still requests the information in that form.

2. Notice of Privacy Practices (NPP)

Be sure to amend your NPP to reflect these changes and make it available at your office to all new patients and any existing ones upon request. If you maintain a website, you should have this notice posted there as well.

3. Business Associate (BA) Agreements

This new ruling expanded the definition of a Business Associate to include Patient Safety Organizations and those involved with patient safety, health information organizations (like health information exchanges), and personal health record vendors. So, review your relationship with all of your vendors that create, receive, store, maintain, or transmit PHI on your behalf to determine if you need to enter into new BA Agreements before September 23, 2013. This new ruling also changes the nature of the BA Agreements so that now:

  • You (as the provider) no longer need to report the failures of your BA to the government—when it’s not feasible to terminate the agreement—because the BA is liable for the violation.
  • BAs are responsible for their subcontractors.
  • BAs must comply with the Security and Breach Notification Rules.
  • You (as the provider) are liable for the actions of your BAs who are agents, but not those who are independent contractors.

Also, as part of this final ruling, HHS passed the 2009 proposed increase in monetary penalties for civil (unintentional) breaches. This means that you could be looking a $50,000 penalty for each violation. See the table below that we modified from page 5583 of the Federal Register, and trust us: you don’t even want to know the penalties for criminal breaches.


Violation category--Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year
(A) Did Not Know $100–$50,000  $1,500,000 
(B) Reasonable Cause  $1,000–$50,000 $1,500,000 
(C)(i) Willful Neglect-Corrected $10,000–$50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000

So to sum up: What does this new ruling mean for you? It means you better protect PHI—carefully. Not only is this extremely important to your patients’ well being—how would you like it if your personal health information was being broadcast at the water cooler or used to discriminate against you?—it’s also crucial to the financial stability of your practice.


How is your clinic preparing to be compliant with the new HIPAA ruling? Tell us in the comments below.


Note: We do our best to summarize our understanding of these rulings at the time that we publish our posts; but there’s a lot of information out there—and a lot that changes. As always, we recommend that you speak with a compliance consultant or health care attorney for compliance and legal advice as this article is meant for general educational purposes only. For more information on what to look for in a compliance expert, check out this post.

Unwrapping MIPS and the Final Rule: How to Prepare for 2019 - Regular BannerUnwrapping MIPS and the Final Rule: How to Prepare for 2019 - Small Banner
  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • ICD-10: Fact or Fiction Image

    articleApr 3, 2014 | 5 min. read

    ICD-10: Fact or Fiction

    As with any major change, the rumor mill churns at a mighty pace. With all the hearsay, telephone games, and disbursement of misinformation, it’s easy for the myths to swallow the truth. No worries, though; we’re here to sort the fact from the fiction. Fiction: Coders will spend an overwhelming amount of time dealing with external cause codes. Fact: From being struck by an orca to getting injured while crocheting, Chapter 20 of the ICD-10-CM Manual , …

  • webinarAug 13, 2013

    Rehab Therapy Industry News

    In July, we hosted a webinar focused on rehab therapy industry news. This session covered an array of newsworthy and timely topics, including: Functional limitation reporting and other Medicare regulations Changes to HIPAA regulations Direct access Branding PT to general consumers ICD-10

  • articleAug 1, 2012 | 4 min. read

    Holy Autonomy, Batman! It’s Compliance!

    Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. Autonomy, direct access, and respect. We all know the fight—in fact, at this point these three words have become more like a rehab therapist mantra. But we get the sneaking suspicion that not everyone really understands what these words means. Today, let’s tackle autonomy. For a dictionary definition , autonomy means: “independence or freedom, as of the will or one's actions: the autonomy of the individual.” …

  • articleDec 21, 2010 | 2 min. read

    APTA defines "essential" in the context of essential benefits

    What is your interpretation of the word “essential” in the context of an essential benefit package? The official response from APTA: “Essential,” in the context of essential benefits provided under insurance plans, should mean benefits that are available and accessible to all individuals with coverage without increased premiums and co-payments. Essential benefits include, but are not limited, to preventing the spread of disease, improving and/or eradicating certain medical conditions or disease states, improving and minimizing the effects …

  • New and Improved: Details on Sustainable Growth Rate Formula Replacement Image

    articleJun 1, 2015 | 3 min. read

    New and Improved: Details on Sustainable Growth Rate Formula Replacement

    Ding-dong—the Sustainable Growth Rate (SGR) formula is dead . As of April 16, 2015—after 17 temporary patches—the wizards in Washington have permanently repealed the flawed SGR formula that threatened to significantly cut Medicare payments. Now, when payments exceed the growth in per-capita gross domestic product, PTs will no longer face reduced payments. Instead, they can look forward to a bit more stability, simplicity, and cash flow for the next decade. The new payment determination process begins with …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.