HIPAA Privacy, Security, Enforcement, and Breach Notification Rules

By | December 14, 2012

Posted in: Network Security Trends

The “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” Notice of Proposed Rulemaking (NPRM) were initially published in July, 2010. The Office of Management and Budget (OMB) received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules that had been bundled together in what was called ”Omnibus Final Rulemaking”. One of the biggest problems in rulemaking is the delay in the issuance of rules due to legal requirements, bureaucratic elements, and political influences. For covered entities (CE), business associates (BA) and their agents and subcontractors (the people that a BA would outsource a covered service to), things are changing.

The original NPRM read: “The HHS/OCR will issue final rules to modify the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008.” We originally expect the Rules to be finalized in early 2012. Right.

We knew that the NPRM would contain changes to the Final Rules for four of the HIPAA-HITECH related rules. The rules to be included were: Genetic Information Non-discrimination Act (GINA) NPRM, Breach Notifications Interim Final Rule (IFR), Enforcement and Compliance IFR, and HITECH Privacy/Security/Enforcement NPRM.

The HITECH changes address areas such as business associates (BA), enforcement, electronic access (Accounting of Disclosures), marketing, fundraising, no sale of PHI and the right to request restrictions.

Among the biggest changes will be those related to BA’s, subcontractors and other parties as HITECH casts a much wider net over millions of organizations. HITECH Sections 13401 and 13404 make BA’s accountable to consumers and to HHS for protecting the privacy and security of protected health information and directly liable for criminal and civil penalties for violations of certain provisions of the HIPAA Privacy and Security Rules.

The NPRM originally proposed the following:

1) Requiring that BAs comply with the technical, administrative, and physical safeguard requirements under the Security Rule.
2) Prohibiting a BA from making a use or disclosure in violation of the Privacy Rule.
3) Clarifying BAs are liable whether or not they have an agreement in place with the CE.
4) Defining subcontractors as BAs; clarifying that BA liability flows to all subcontractors.
5) Higher fines for failing to secure protected health information.

My opinion is that these amendments will stay true to these suggestions. The lines continue to blur as we look at the differences between BA’s and CE’s. There are rules that BA’s will be expected to follow, that have historically only applied to CE’s. These 4 items above will impact BA’s. However, these are also simply good business practices. More regulations, more liability, more responsibility, and more risk. A real world, relevant training program for your employees is paramount.

About the Author: Tom Dumez, President of Prime Compliance, LLC, is a Certified HIPAA Professional (CHP) and also a Certified Security Compliance Specialist (CSCS) who created an employee HIPAA training program that is specific to RIM companies. Tom has been a guest on the 'RIMpro Report' and 'Inside The Records Room' internet shows, been published by Storage and Destruction Business magazine, and interviewed by Joanne Finnegan of HCPro, Inc. Tom was on the Professional Records and Information Services Management (PRISM) International Board of Directors-January 2011 through December 2012.

Editor’s Note: The views expressed in this article are the opinions of the author. Security Bistro is not responsible for the article’s content or messaging.

You May Also Be Interested In: