HIPAA rules alert: What you need to know
In January, the Department of Health and Human Services (HHS) published a revised set of security and privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA). The new 563-page HIPAA omnibus rules, effective Sept. 23, include many new requirements and compliance regulations with broader categories of business associates.
Health care providers and business associates must comply with the new regulations. Failure to do so has a serious downside: The final rules move HIPAA enforcement away from the previous voluntary compliance framework and toward a penalty-based system. The tiered penalty structure has penalties ranging from $100 to $50,000 per violation, depending on the level of culpability, with a $1.5 million cap per calendar year for multiple violations of identical provisions, and criminal penalties of up to 10 years’ imprisonment.
Willful neglect is at the top of the scale, and even where there is merely a possibility of a violation due to willful neglect; HHS can impose civil monetary penalties without exhausting informal resolution options.
Here are 12 things you need to know:
Business Associates: Patient safety organizations, health information organizations (HIOs), e-prescribing gateways and "other persons that facilitate data transmission", as well as personal health records vendors, are now explicitly named as business associates. The term "HIO" is used because it includes both health information exchanges and regional health information organizations.
The categories of business associates are expanded. Earlier in the regulatory process, business associates were defined as companies working with protected patient data such as firms engaged in processing health insurance claims. The new rule, in contrast, describes business associates as companies that "create, receive, maintain or transmit" protected health data on a covered entity's behalf. According to a regulatory impact analysis contained in the rule, the Office of Civil Rights (OCR) estimates up to 500,000 business associate covered entities exist in the nation and the number of subcontractors could be staggering.
Business associate entities are now also subject to random HIPAA compliance audits and violation fines.
The number of business associates a medium-sized hospital could have may number into the thousands. Auditing each one to make sure they have read the health care provider’s business associate agreement before signing will be nearly impossible for the CIO and compliance staffers involved with administering them, let alone confirming they have the policies, risk assessments, encryption and other network security technologies, as well as physical access controls in place.
Subcontractors of business associates are now in the same category as business associates with respect to compliance reporting, and are subject to random HIPAA compliance audits and violation fines.
Business associates cause about 28 percent of data breaches. It is suggested that Health Care Provider (HCP) resources should be allocated to tighten up business associate agreements for the new HIPAA law to protect the HCP by developing and executing new procedures to require more security. That is, require business associates to follow physical access controls for their buildings, electronic intrusion prevention, and carry data breach insurance, and call for specific data destruction practices.
Health care providers should rework business associate contracts to include verbiage acknowledging they understand that each associate must comply with breach notification rules.
Harm threshold: The updated rule assumes harm anytime there is a high probability that personal health information (PHI) has been compromised. It is up to the covered entity to assess whether an event such as a lost thumb drive or network intrusion is likely to have compromised PHI and to report any such cases to the OCR.
Direct liability of Business Associates: Previously, the key legal relationship was between the covered entity and the business associate. A contractor could end up in breach of contract for a HIPAA security lapse, but the government couldn't go after them. The revised regulations, however, make business associates directly accountable to the government for their missteps. The shifting compliance burden may, in some cases, fall more heavily on contractors as opposed to their healthcare customers because of the amount of information they possess and the number of clients from whom they receive data.
Subcontractors to business associates may also be deemed business associates under the same criteria as business associates. This means that IT outsource providers and MSPs who have “business associates” as clients must now comply with the HIPAA Omnibus Compliance rules – and they are also subject to the violation fines.
Storage companies who previously were not considered to be business associates are now business associates as well. Because they are involved in storing, maintaining, hosting and processing data, in particular, they may face higher risk.
Resellers, managed services providers and cloud services vendors could potentially fall within the business associate category.
HCPs, business associates, and subcontractors subject to the provisions of HIPAA should reevaluate their existing incident response and breach notification practices to ensure that they are in compliance with the new mandate.
This should include verifying the consistency in definitions between HIPAA's requirement and the organization's practice, and the risk assessment necessary to determine whether an incident is considered a breach. Additionally, policies and procedures that implement the requirements to notify both HHS and affected individuals when a breach occurs should be in place.
The preceding article was compiled in synopsis from HIPAA rules and industry information available. Bud Michael and eSoft are not a “certified HIPAA compliance agency.” For definitive information on HIPAA compliance rules, please consult a HHS – HIPAA representative or healthcare legal counsel.