Final Countdown To HIPAA Rule Implementation Begins

By Katie Wike, contributing writer

The final HIPAA omnibus rule holds healthcare providers responsible for the security of patient information, even after it has been transferred to a vendor; impact on providers as covered entities will be “significant”

With the number of electronic health records (EHRs) rapidly growing - and sharing of those records between hospitals and their associates more prevalent than ever - it’s increasingly important to protect patients’ personal information. This takes on a new sense of urgency in light of the upcoming September start date for the Office for Civil Rights to begin audits of covered entities' business associate oversight.

Faced with $1.5 million in fines for noncompliance that come with failing an audit, hospitals will need to ensure the security of their patient’s protected health information, even when those records have been handed over to organizations the hospitals does business with. This is the result of the final HIPAA omnibus rule , which amends privacy, security, breach notification, and enforcement regulations and went into effect in March as part of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).

Becker’s Hospital Review underscores the need for increased provider attention to the abuse of EHRs by business partners, citing a study a by the Office for Civil Rights that concluded “45 percent of healthcare providers and other covered entities had an average of five HIPAA data breaches during any given year, with two-thirds of incidents involving a business associate.”

Becker’s concedes the “impact on healthcare providers as covered entities will be significant,” noting, “The final HIPAA omnibus rule will greatly increase the number of business associate-vendors due to the expanded definition (of what a business associate is) and the fact that providers will now review vendors with a greater level of scrutiny.

“Oversight is required with real demonstration of a comprehensive process including the documentation of the oversight policy and the actions taken. Oversight for some organizations previously meant sending a business associate survey to suppliers' sales representatives, who then signed off indicating they were not a business associate, and that was the end of it. This will not be acceptable under the new oversight requirements. Covered entities (healthcare providers, health systems, and clearing houses) need to examine their vendor relationships and take the necessary steps to guarantee that their business partners are doing everything they can to protect PHI.”

The National Law Review echoes Becker’s sentiments, writing, “The changes require covered entities and their business associates to conduct a security risk assessment; revise their existing privacy, security, and breach notification policies and procedures; amend their business associate agreements; and retrain their workforce on the revised policies.”

While there are numerous changes to the rule, The National Law Review lists the following as the most significant:

• Business associates are directly liable for civil money penalties and criminal penalties for violations of the Privacy Rule and Security Rule.
• The definition of business associate is expanded to include a subcontractor of a business associate so that subcontractors also are liable for violations of the privacy, security and breach notification standards.
• The definition of a breach of unsecured protected health information (PHI) is revised to make it more difficult for a covered entity or business associate to avoid reporting an unauthorized use or disclosure of PHI to the affected individuals and the Office of Civil Rights.
• A covered entity generally may not receive cash or other financial remuneration for marketing communications made for a third party’s products or services.
• Certain restrictions on the use of compound authorizations in connection with research studies were changed in a way that will simplify secondary uses of PHI for research purposes.