HIPAA Changes Could Create New Bureaucratic Burdens

From January 23, 2013 article by Michelle McNickle, Associate Editor of InformationWeek Healthcare

Modifications to HIPAA may take the focus off patients and pile on administrative work.

Changes coming to the HIPAA Privacy and Security Rule mean added administrative work, and they could mean additional reporting, said Lisa Sotto, head of Hunton & Williams’ global privacy and data security practice in an interview with InformationWeek Healthcare.

The Department of Health and Human Services recently announced what Office of Civil Rights (OCR) director Leon Rodriguez called “sweeping changes” to HIPAA that will strengthen the OCR’s ability to enforce HIPAA.

The changes, also known as the final omnibus rule, are broken down into four parts, HHS explained in a PDF document. Among the four parts are modifications to the HIPAA security rule first proposed in July 2010; changes to HIPAA enforcement to incorporate the tiered civil monetary penalty structure provided by the HITECH Act; a final rule on breach notification for unsecured protected health information under the HITECH Act; and a final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit health plans from using or disclosing genetic information for underwriting purposes.

The final rule focusing on breach notifications creates a “significant shift” in the new issuance from a harm-based standard to a focus on the probability that data is compromised in any data leak, Sotto said. The interim final rule had used a harm threshold that meant companies had to notify patients of a data loss if there was a significant risk of patient harm. That threshold has been replaced by a presumption that data privacy is compromised when data is exposed, unless the organization can demonstrate there was a low probability that personal health information had been compromised based on a set of factors.

“The focus on harm to the individual and any injury the individual may suffer has been eclipsed by the question of whether the PHI has been compromised,” she said. OCR considers this a more objective standard, but “I like the idea of the assessment focusing on the individual, rather than thinking about a breach in a vacuum without strong reference to the individual,” Sotto said.

The new rules also could force organizations to know how data is handled by business partners. A “business associate” amendment was part of HITECH when it was first enacted in 2009. What’s changed as part of the first rule, said Sotto, is that HHS has imposed an obligation “all the way downstream” to every subcontractor that has access to PHI. This results in “some very long chains of custody for data,” she said.

“There’s a huge bureaucratic burden that’s about to hit because every business associate agreement in place needs to be amended, and a huge wave of businesses in the U.S. will be hit with business associate-like agreements because they’re subcontractors,” said Sotto. “They could be the subcontractor of a subcontractor to the business associate of a covered entity.” IT organizations will have to let all their subcontractors know they’re directly responsible for HIPAA compliance, she said. “This is an enormous administrative burden that’s about to happen,” Sotto warned.