OCR Provides Guidance on the Omnibus Rule

HHS-logo

We are finally starting to see further guidance on the Omnibus Rule as enforcement has arrived. Last week the Office for Civil Rights (OCR) provided examples and templates of revised Notice of Privacy Practices (NPP) that organizations can use to develop their own revised NPP. It includes the minimum requirements necessary to comply with changes from the Omnibus Rule.

Additionally, OCR provided guidance on marketing provisions, decedent information and student immunizations that helps clarify some of the changes. They created very helpful and informative FAQ sheets to understand the complex changes. CynergisTek recently reviewed the FAQ sheets and provided Healthcare Informatics an overview of what it means.

  • Marketing (Refill Reminders): the FAQ sheet highlights requirements regarding prescription refill reminders and other medication communications. OCR points out that communications on refills  and generic equivalents are within exception.  Additionally, communication about prescriptions can be excluded from the rule if there isn’t any financial remuneration involved.  There are some scenarios when financial remuneration is involved but is within exception. To be considered reasonable, the financial renumeration can only be made in exchange for the cost of creating the communication. Additionally, non-financial and in-kind benefits are not considered a financial remuneration. OCRs guidance further details how to determine if the communication involves remuneration, whether it is reasonable or not, and provides clarifying examples.
  • Decedent Information: the Omnibus Rule excludes decedent information for an individual that has been deceased for more than fifty years. The rule permits the release of decedent information to family members, individuals that were involved in the person’s care or payment for care prior to their death, law enforcement, organ donors and coroners. The Omnibus Rule limits disclosure of information to only allowing information that is relevant to the person’s involvement with the decedent’s care or financial payment for their care. To obtain decedent information, the requester must follow the standard authorization procedure. OCR provides additional guidance on decedents on their website and in the FAQs.
  • Student Immunizations: the Omnibus Rule allows organizations to disclose proof of required immunizations directly to the student’s school to help ensure the student can be admitted into school. Provides can only disclose the information if proof of the immunization is required by the state or a law, but the parent or guardian is required to grant either oral or written permission. If the student is emancipated or an adult, a provider can disclose the information as long as they receive and document the parent or student’s permission. OCR provides a series of FAQs to help clarify when and what can be disclosed for a student’s immunization record.

CynergisTek highly encourages organizations to read through OCR’s guidance and FAQs, as well as implement the necessary changes to their privacy policies. It is also important to train staff on the changes made to ensure compliance with the new standards. Please contact us if you would like to learn more about Omnibus Rule compliance requirements.

September 27th, 2013|

About the Author:

Jana Langhorne
Jana Langhorne is the senior director of marketing for CynergisTek, Inc. She manages all of CynergisTek’s marketing and PR efforts, provides support to the sales teams and provides administrative leadership for the executive team. Jana has over thirteen years of combined experience in marketing, sales support and project management.