HIPAA Subcontractor Extension To Lead To More Accountability: Security Experts

The U.S. Department of Health and Human Services (HHS) has issued a major change to the Health Insurance Portability and Accountability Act of 1996, finalizing long-awaited modifications that extend the privacy rules to subcontractors and new language that experts say could make determining a breach easier for organizations.

The HIPAA modifications were introduced last week, finalizing proposed language changes but also adding changes that HHS says expands the requirements to business associates of healthcare providers and any entity with which they subcontract. HIPAA now covers the processors of health insurance plans and other service providers that handle personal healthcare information, such as contractors and subcontractors.

Up until now the focus has been on healthcare organizations themselves, said Kate Borten, president of The Marblehead Group, a consultancy that specializes in healthcare security. The new rule closes a serious gap in coverage, Borten said, now requiring each link in the contract and subcontract chain to be responsible for the next link.

[Related: HIPAA Healthcare Data Breach Fines Climb With Enforcement Boost ]

Sponsored post

"Finally these regulations mean that the entire chain of subcontractors is now directly liable to this federal agency and federal enforcement," Borten said. "There are so many third-party niche services provided across the entire spectrum of the healthcare delivery and the payment system, and they are frequently subcontracted multiple times."

The final rule states that healthcare organizations must ensure that business associates safeguard "electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities." HIPAA is extended to all Health Information Exchange Organizations as well as personal health record vendors that provide services to healthcare organizations, making them directly liable for violations of the requirements.

Business associates and subcontractors of all sizes have up to one year after the 180-day compliance date of March 26, to come into compliance with the provisions. HHS issued many of the changes as proposed rules in 2010, and security experts and healthcare providers have been waiting for them to be finalized. The final omnibus rule is based on statutory changes under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which provides that the HHS enforces the HIPAA privacy protections.

HHS added a clarification to the final rules that explain a reportable data security breach by adding language to the definition of breach. Under the final rules, "breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." The rules state that a risk assessment will be necessary to determine the probability that the health information was compromised.

"Breach notification is still challenging for a lot of organizations, but determining if you've had a breach should be slightly easier to do with the new language," Borten said. "Instead of trying to figure out possible harm to individuals, organizations need to focus on whether PHI has been compromised."

NEXT: Guidance Issued On Risk Assessments

Risk assessments, as outlined by HIPPA, must consider the following four factors: the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the protected health information or to whom the disclosure was made; whether the protected health information was actually acquired or viewed; and the extent to which the risk to the protected health information has been mitigated.

In addition, penalties for noncompliance were increased to a maximum of $1.5 million per violation, one of the many anticipated changes.

Security experts say HIPAA enforcement has increased over the last several years with millions of dollars in fines handed down for HIPAA noncompliance in 2012. Many of the data breaches over the last year can be pinpointed to data exposure via third-party service providers and other business partners.

Protecting patient data is a serious challenge. A study issued in December by the Ponemon Institute surveyed 80 healthcare organizations and found that 94 percent had at least one data breach in the past two years.

The final HIPAA rule update also addresses the marketing of patient healthcare information. It requires healthcare organizations to gain authorization from patients to use their health information for research purposes. It also prohibits "the sale of protected health information without the express written authorization of the individual, as well as the other uses and disclosures for which the rule expressly requires the individual’s authorization."