Last Friday, January 25th 2013, HHS released it’s highly anticipated omnibus HIPAA “Final Rule.” This rule solidified the regulations relating to HIPAA security, privacy and HITECH data breach notifications requirements. Doug Pollack of ID Experts had a great Q&A with HITECH Answers wherein he discusses at length the changes, and non-changes, to the rule and what both Covered Entities and Business Associates need to know to be compliant moving forward.
“The HIPAA Omnibus Rule has been in the works for several years now and modifies the HIPAA Privacy & Security Rules passed as part of the HITECH Act. Can you tell us why modification was needed?
To clarify, the HITECH Act was a piece of legislation that required the rulemaking body, the U.S. Department of Health and Human Services Office for Civil Rights (OCR), to update HIPAA Privacy and Security Rules to comply with provisions of the Act. For example, there were provisions in the law that required updates to the Security Rule requiring not just HIPAA covered entities but also HIPAA business associates to be in compliance with the rule and be subject to fines and penalties for potential negligence for non-compliance. The HIPAA Omnibus Final Rule also clarified language from the Interim Final Rule in order to clarify that downstream contractors from business associates that touch protected health information (PHI) will also be considered business associates.
2. When does the HIPAA Omnibus Rule go into effect for Covered Entities and Business Associates?
This final rule is effective on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013. Until then, they must comply with the Interim Final Rules as published.
3. We’re reading the HIPAA Omnibus has brought “sweeping changes” to HIPAA privacy and security enforcement. Can you give us a brief rundown of a few of the of key compliance issues contained in the final rule?
Sure. One compliance issue with significant changes in the rules is breach notification. There is a requirement that for every data security incident involving PHI, the entity would conduct an incident risk assessment in order to determine the probability that the information was compromised. The rules lay out objective measures for carrying out this assessment covering four factors that must be evaluated. So for instance, if an entity has an incident and its risk assessment concludes that there was a very low probability of compromise of the PHI, it could chose to not notify the affected individuals or OCR. However, the rules require that the entity maintain a “burden of proof,” if its conclusions are called into question. So for instance, if OCR investigated the covered entity, it would be required to provide conclusive documentation of its incident risk assessment and analysis as to why the incident did not result in a “compromise” of PHI. If the entity doesn’t meet that burden of proof, it could be found to have been negligent in not notifying the affected individuals and subject to substantial fines, penalties, and corrective action.”
You can read the whole article, “ HIPAA Omnibus Ushers In Compliance Changes and Challenges” here.