On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a press release announcing publication of the final omnibus rule with Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act.
The final rule updating HIPAA Privacy, Security and Breach Notification requirements creates a presumption of breach when an impermissible use or disclosure of PHI occurs and increases the fines for breaches. It also applies HIPAA directly to business associates and to some of their subcontractors and mandates changes to the notice of privacy practices given to patients.
What does this mean for your business? The Final Rules reiterate the importance that healthcare providers meet stringent requirements for patient privacy and data security. Today, however, their financial exposure has grown, given the aggressive enforcement posture that OCR has adopted towards organizations that have lax privacy/security postures.
Highlights from the final ruling:
- Many of HIPAA’s privacy and security requirements will now directly apply to business associates.
- Business associates may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million.
- Subcontractors of business associates will automatically become business associates themselves.
- The definition of breach is changed so that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.
- Breach notification is not required if it is demonstrated through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule.
- The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if PHI has been compromised and breach notification is necessary.
- Patients can request a copy of their electronic medical record in an electronic form.
- There are new limits on how information is used and disclosed for marketing and fund-raising purposes; in particular, the sale of an individual’s health information without permission is prohibited.
- An individuals’ ability to authorize the use of his/her health information for research purposes will be streamlined.
- The final rule is effective on March 26, 2013; the compliance date is 180 days thereafter (September 22, 2013). Covered entities and business associates will have up to one year after the 180-day compliance date to modify contracts in order to comply with the new rules.
Healthcare information flows
The flow of healthcare information follows the patient, starting at the doctor’s office, to laboratories, imaging centers, pharmacies, and other care facilities. This natural flow of medical records provides many points where information security must be considered and proper processes implemented.
The increasing interconnection, while extremely beneficial for patient healthcare, also raises risks related to patient privacy and confidentiality. There is a heightened consumer awareness regarding privacy of sensitive information, and the potential impact of reported data breaches has caused consumers to expect and demand protection of their personal health information.
As healthcare operations benefit from advancing technologies that promote information sharing, it is necessary to build and use the appropriate information protection framework to preserve the integrity and protect the confidentiality of Protected Health Information (PHI) and Personally Identifiable Information (PII).
Information protection evaluation checklist
Here is a list of questions that can help get you started with building the health information protection framework around the key elements.
Strategy and Awareness
- Have you developed a health information protection strategy that encompasses the key elements of HIPAA and the HITECH Act?
- Have you performed a recent assessment to determine your compliance posture with the HIPAA Privacy/Security Rule?
- Have you prepared security awareness programs to promote the education of Health Information Privacy and HITECH requirements within your organization?
Information Security and Privacy
- Have you reviewed and updated Notice of Privacy Practices to reflect changes in privacy and security policies?
- Have you made updates to your security policies and program to reflect the changes in regulatory standards?
- Have you evaluated the restrictions on the sale and marketing imposed by the HITECH Act?
Security Technology and Operations
- Have you developed a detailed Breach Notification Policy that complies with HITECH and any state law counterpart to the new federal breach notification provisions?
- Have you evaluated access management if using EHR (individual’s right to access) according to the HITECH guidance?
- Have you expanded your Business Associate Inventory to include vendors and other related services?
- Have you updated Business Associate Agreements to include expanded new requirements?
While data security requirements such as HIPAA and HITECH impose mandatory requirements, many health practitioners and organizations recognize that protecting healthcare information and ensuring consumer privacy is also a good business practice that leads to satisfied consumers. The increasing exchanges of health information bring new challenges in privacy and security as the industry becomes more and more interconnected. The security and privacy of patient data is a key element in creating a secure healthcare information infrastructure. The magnitude, complexity, and dynamic nature of developments affecting the exchange of health information demand a broad and flexible information protection strategy. This information protection strategy must encompass risk management and governance policies so that people, processes, and technologies can provide for the growing security and privacy requirements for proper treatment of health information.
There is a revolution in health information and health IT, moving toward EHRs, HIEs, ACOs, analytics, outcomes-based research, mobile, telemedicine, social media and other new and secondary uses. The new HIPAA changes will have immediate consequences, and the handling of health information is increasingly a regulated and complex area with heightened penalties and disclosure requirements for breaches and missteps. It is important for organizations to understand the financial and operational implications and develop a well thought-out strategy to remain in compliance and support the new health information uses, health IT, and channels.