Although the passing of HIPAA and its privacy and security rules for patient health information occurred over a decade ago, the HITECH Act passed in 2009 strengthens some of the already existing rules under HIPAA. Following the passing of the HITECH Act, the Department of Health & Human Services released interim final rules regarding the strengthened regulations. As these regulations become stricter and healthcare organizations and providers face greater liability for HIPAA violations, it is important for these entities to be aware of these recent HIPAA changes. Here are some of the most significant developments that modified the already existing HIPAA rules and best practices for maintaining compliance.
1. Definition of a business associate. The definition of a "business associate" has been expanded in the interim final rule. Business associates are defined as companies that perform work on behalf of a healthcare provider or organization and who deal with the use of personal health information. Traditionally, the rule pertained to various healthcare professionals such as pharmacy benefits managers for insurance plans, billing companies and legal services, but it is now expanded to also cover vendors who contract with healthcare providers or organizations to provide personal health records, entities who are in contact with e-prescribing systems and, most importantly, subcontractors who act on behalf of direct business associates. These individuals are now liable for how they handle personal health information, and their uses of such data are associated with stricter monitoring and penalties.
"Let's say, for example, your hospital sends electronic equipment out to be repaired because you don't have a huge in-house IT department," says Jared Rhoads, senior research analyst at IT services and consulting firm CSC. "If [a hospital or other provider] sends out the equipment to an off-site company, that provider is now responsible for monitoring that company's practices for protecting health information, even though that is out of the provider's immediate control." Before the interim rule, if a provider was a covered entity and had a business relationship with a specialty vendor, not all of HIPAA would have extended to that business associate.
2. Accounting of disclosures. Healthcare providers and organizations may be required to account for each disclosure of personal health information. What this means is if one caregiver shares a patient's information with another caregiver, those individuals are required to disclose that exchange to the patient upon the patient's request. Traditionally, clinicians and organizations were required to keep a detailed list of disclosures dating back six years. Under the proposed changes, but the length of time isn't as long, says Mr. Rhoads, but the scope of information will be broader so that it includes details about treatment, payment and healthcare operations.
"As the term implies, these caregivers need to account for disclosures. So if a patient shows up one day asking to see a list of all the people who has seen his or her personal health information, there is now a requirement that the organization needs to be able to furnish a detailed list," Mr. Rhoads says.
Additionally, healthcare providers are subject to new breach notification rules. "The new provisions are especially pertinent in the event of a breach affecting more than 500 individuals," he says. "If that is the case, then the covered entity is required to notify HHS and the general public through prominent media outlets."
3. HIPAA violation enforcement. As the requirements and rules under the HIPAA act continues to evolve and become more stringent, healthcare organizations, providers and business associates are liable to face stricter penalties for non-compliance. Violation of some HIPAA rules can result in devastating civil and criminal penalties, and the Department of Health & Human Services Office of Civil Right will start recruiting enforcement agents and auditors to watch for such violations, says Linda Ricca, client partner at CSC.
Penalties for even individuals who were not cognizant of the violation they committed can be anywhere between $100 to $50,000 per violation. Penalties increase as the type of offense becomes more negligent, including up to $1.5 million annually as well as prison time. In addition to the monetary penalties, healthcare organizations can face serious damages to their reputation. "The cost of a breach is becoming higher and higher," says Ms. Ricca. "If a hospital has to go on the media about a breach of personal health information, then you have lost the trust of your patients who might start migrating to other institutions. There's a significant downstream impact, and the implications can be far-reaching."
1. Understand preemptive state laws pertaining to security and privacy rules. Ms. Ricca and Mr. Rhoads write in a white paper on privacy and security enforcement of patient health information that although HIPAA maintains federal privacy protections for personal health information, states laws may be in place that enact stricter privacy and security controls. Healthcare organizations and providers should continually be scanning the legislative realm, both on a federal and state level, to fully comprehend what rules and regulations apply to them.
2. Create and review business associate agreements. Now that the interim final rule has expanded the definition of a business associate, hospitals and healthcare providers would find it in their best interest to go back to all contracts with third-party companies to ensure those business associates are aligned with the updated version of HIPAA rules.
"This means digging up all your current contracts with all the companies you work with, going through each of them to ensure compliance and adding clauses and renegotiating them so they are in line with your organization's security and protection policy if required," Ms. Ricca says.
3. Set up a security office. Additionally, hospitals should elect a compliance officer and a chief information security officer, who are responsible for monitoring HIPAA compliance and develping a remediation strategy when they find issues. The compliance officer would ideally have a support team or department who would aid him or her in conducting security policy reviews.
"You also have to set up the governance and infrastructure within the hospital, so that might mean having a security officer who is a trusted advisor who monitors and changes business associate agreements to improve security within the infrastructure," Ms. Ricca says. "The security reviews also have to be ongoing because your hospital's security may be okay today, but there may be a breach next week. The officer should look at how many touch points there are between information systems. Any time a new system is implemented, all of the systems — including the new system — need to undergo review to minimize security risks."
Learn more about CSC.
Latest changes to the HIPAA Privacy and Security Rules
1. Definition of a business associate. The definition of a "business associate" has been expanded in the interim final rule. Business associates are defined as companies that perform work on behalf of a healthcare provider or organization and who deal with the use of personal health information. Traditionally, the rule pertained to various healthcare professionals such as pharmacy benefits managers for insurance plans, billing companies and legal services, but it is now expanded to also cover vendors who contract with healthcare providers or organizations to provide personal health records, entities who are in contact with e-prescribing systems and, most importantly, subcontractors who act on behalf of direct business associates. These individuals are now liable for how they handle personal health information, and their uses of such data are associated with stricter monitoring and penalties.
"Let's say, for example, your hospital sends electronic equipment out to be repaired because you don't have a huge in-house IT department," says Jared Rhoads, senior research analyst at IT services and consulting firm CSC. "If [a hospital or other provider] sends out the equipment to an off-site company, that provider is now responsible for monitoring that company's practices for protecting health information, even though that is out of the provider's immediate control." Before the interim rule, if a provider was a covered entity and had a business relationship with a specialty vendor, not all of HIPAA would have extended to that business associate.
2. Accounting of disclosures. Healthcare providers and organizations may be required to account for each disclosure of personal health information. What this means is if one caregiver shares a patient's information with another caregiver, those individuals are required to disclose that exchange to the patient upon the patient's request. Traditionally, clinicians and organizations were required to keep a detailed list of disclosures dating back six years. Under the proposed changes, but the length of time isn't as long, says Mr. Rhoads, but the scope of information will be broader so that it includes details about treatment, payment and healthcare operations.
"As the term implies, these caregivers need to account for disclosures. So if a patient shows up one day asking to see a list of all the people who has seen his or her personal health information, there is now a requirement that the organization needs to be able to furnish a detailed list," Mr. Rhoads says.
Additionally, healthcare providers are subject to new breach notification rules. "The new provisions are especially pertinent in the event of a breach affecting more than 500 individuals," he says. "If that is the case, then the covered entity is required to notify HHS and the general public through prominent media outlets."
3. HIPAA violation enforcement. As the requirements and rules under the HIPAA act continues to evolve and become more stringent, healthcare organizations, providers and business associates are liable to face stricter penalties for non-compliance. Violation of some HIPAA rules can result in devastating civil and criminal penalties, and the Department of Health & Human Services Office of Civil Right will start recruiting enforcement agents and auditors to watch for such violations, says Linda Ricca, client partner at CSC.
Penalties for even individuals who were not cognizant of the violation they committed can be anywhere between $100 to $50,000 per violation. Penalties increase as the type of offense becomes more negligent, including up to $1.5 million annually as well as prison time. In addition to the monetary penalties, healthcare organizations can face serious damages to their reputation. "The cost of a breach is becoming higher and higher," says Ms. Ricca. "If a hospital has to go on the media about a breach of personal health information, then you have lost the trust of your patients who might start migrating to other institutions. There's a significant downstream impact, and the implications can be far-reaching."
Best practices for maintaining HIPAA compliance
1. Understand preemptive state laws pertaining to security and privacy rules. Ms. Ricca and Mr. Rhoads write in a white paper on privacy and security enforcement of patient health information that although HIPAA maintains federal privacy protections for personal health information, states laws may be in place that enact stricter privacy and security controls. Healthcare organizations and providers should continually be scanning the legislative realm, both on a federal and state level, to fully comprehend what rules and regulations apply to them.
2. Create and review business associate agreements. Now that the interim final rule has expanded the definition of a business associate, hospitals and healthcare providers would find it in their best interest to go back to all contracts with third-party companies to ensure those business associates are aligned with the updated version of HIPAA rules.
"This means digging up all your current contracts with all the companies you work with, going through each of them to ensure compliance and adding clauses and renegotiating them so they are in line with your organization's security and protection policy if required," Ms. Ricca says.
3. Set up a security office. Additionally, hospitals should elect a compliance officer and a chief information security officer, who are responsible for monitoring HIPAA compliance and develping a remediation strategy when they find issues. The compliance officer would ideally have a support team or department who would aid him or her in conducting security policy reviews.
"You also have to set up the governance and infrastructure within the hospital, so that might mean having a security officer who is a trusted advisor who monitors and changes business associate agreements to improve security within the infrastructure," Ms. Ricca says. "The security reviews also have to be ongoing because your hospital's security may be okay today, but there may be a breach next week. The officer should look at how many touch points there are between information systems. Any time a new system is implemented, all of the systems — including the new system — need to undergo review to minimize security risks."
Learn more about CSC.