By Dom Nicastro, HealthLeaders Media, January 22, 201
The HIPAA omnibus final rule released by the Department of Health & Human Services January 17 will cost hospitals some time and money in regulation analysis, training, and policy revision, but shouldn’t break the bank, healthcare leaders and privacy and security experts say.
The HIPAA “mega rule,” so-called by some in the industry, represents the largest set of modifications to the HIPAA privacy and security rules to date.
“The new law needs to be analyzed and will have some impact on current processes, although they appear after my high level review to be expected and minor in nature,” says Chris D. Van Gorder, FACHE, president and CEO of Scripps Health in San Diego.
“There will be costs to Scripps to analyze the regs, revise policies, revise and distribute the Notice of Privacy Practice (NPP), and to revise our standard Business Associate agreement if legal determines that is necessary and get our BA’s to sign the new version.”
The final omnibus rule enhances a patient’s privacy protections, provides individuals new rights to their health information, strengthens the government’s ability to enforce the law, and requires updates to business associate contracts.
The rule, required by the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law in February of 2009, is enforceable beginning September 24. It holds accountable third-party subcontractors who use and disclose PHI to HIPAA rules and penalties.
Regulation review
Healthcare leaders must direct someone, most likely privacy and security officers, to perform a thorough review to identify high level process and policy changes necessary for compliance with the new rule.
“I think for CEO and CIO, the first step is to ensure your privacy and security officers get right on this and digest it,” says Kate Borten, CISM, CISSP, former head of information security at Massachusetts General Hospital in Boston and the president of The Marblehead Group, a healthcare privacy and security consultancy in Marblehead, MA. “They are your internal experts, and this is a big part of their role.”
Organizations charged with HIPAA compliance must understand now that all signs are pointing to increased enforcement, adds Brad M. Rostolsky, partner in the Philadelphia office of the law firm Reed Smith, LLP.
“The ‘good old days’ of voluntary compliance and ‘slaps on the wrist’ seem to be a thing of the past,” Rostolsky says. “As a result, it’s important that regulated businesses, from the top down, are seen to have buy-in to HIPAA compliance efforts. HIPAA privacy and security officers should be involved at the highest levels of compliance planning.”
Increased penalties for noncompliance
HHS made official in the omnibus rule increased civil monetary penalties ranging from $100 in the “did not know” category to $1.5 million in the “not corrected” category.
The factors that will be considered when determining civil money penalties for non-compliance have expanded significantly, says Rebecca Herold, CISSP, CIPP/US/IT, CISM, CISA, FLMI, partner in Compliance Helper and CEO of The Privacy Professor of Des Moines, IA.
“To date, the factors really only involved the implementation of controls, as required by HIPAA, and any levels of ‘willful neglect’ involved in the associated situations,” Herold says. “So pretty much the sanctions applied were based upon the preventive actions that were in place, or lacking. Now there are significant additional considerations: the impacts of the breach will be considered.”
What will HHS review in terms of the extent of breaches in the new omnibus rule?
- Number of individuals affected
- Time period during which the violation occurred
- Nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:
- Whether the violation caused physical harm
- Whether the violation resulted in financial harm
- Whether the violation resulted in harm to an individual’s reputation
- Whether the violation hindered an individual’s ability to obtain healthcare
“I find the consideration of harm to an individual’s reputation to be of particular interest, since that has been comparatively hard to prove in past court cases,” Herold says. “However, this particularly points to the need to keep patient information off social media sites, since that has been a source of many breaches involving patient information.”
Action steps for C-Suite
Though enforcement will not come until the fall, CEOs must know the changes will require actions that go beyond the simple checklist approach to compliance that has been par for the course over the past several years, Herold says.
“Those responsible for compliance must be able to implement, and maintain, controls that will fit the organizational environment, and that will be incorporated into every-day work activities,” she adds.
Healthcare leaders, she says, should consider the following compliance action steps:
- Support more training, and significantly more ongoing awareness communications than most CEs and BAs currently are providing
- Encourage more oversight of BAs. This means better tracking of the BAs.
- Update the organization’s breach-response plans. The rule eliminates the “harm threshold” provision, which allowed covered entities and business associates to avoid breach notification if they determined themselves a breach would not cause harm to an individual. HHS now calls for covered entities and BAs to assess the probability that the PHI has been compromised instead of assessing the risk of harm to the individual.
- Establish a way to monitor compliance and risks on an ongoing basis, along with metrics/statistics, to most quickly identify when problems areas with regard to security and privacy emerge
- Implement better PHI safeguards by CEs and all others (BAs and their subcontractors) which will lead to fewer breaches and also help to ensure more accurate PHI
- Assign a person/team responsibility for doing a gap analysis between current practices and the new requirements
- Identify all BAs and make sure they know the new requirements, and provide some type of evidence to demonstrate their compliance activities
- Plan to provide an awareness communication about the upcoming changes to personnel as soon as possible, and then plan a training session with all personnel sometime in the near term (e.g., within the next month or two; by the March 25 effective date would be ideal).
- Implement ongoing compliance monitoring actions, with associated metrics.
“From my perspective, a covered entity or business associate’s most important reaction to the final rule is to make sure that it has recently undertaken a Security Rule risk analysis,” Rostolsky says. “Although the final rule includes many areas of significant change, the Office for Civil Rights (the HIPAA enforcer under HHS) is clearly viewing the failure to conduct a risk analysis as a key trigger to enforcement action.”
Further, BAs, covered entities and now those subcontractors of BAs who use and disclose PHI on behalf of BAs must update business associate contracts within 180 days from the date the rule is published in the Federal Register (January 25).
“The HITECH rules already addressed this, and enough guidance was provided in HITECH and within that next year so that Scripps has already revised our standard BAA,” Van Gorder says. “We might expect that some smaller BAs may go out of business or change their business if they are un-willing or unable to comply with the HIPAA rules, particularly the Security Rule.”
A major rule regarding HIPAA privacy is still due: The accounting of disclosures rule that will greatly impact patients’ rights to request records and potentially give them more access to who viewed their records through an “access report.”
“I would share with a board that it doesn’t seem these final rules are creating too many ripples in the HIPAA pond,” says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, AZ.
“But be aware that one of the big questions about whether patients’ will have the right to an access report has yet to be answered. That is one area I see as one of the most challenging and ambitious HIPAA requirements to be decided upon.”
