Risk assessments, as outlined by HIPPA, must consider the following four factors: the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the protected health information or to whom the disclosure was made; whether the protected health information was actually acquired or viewed; and the extent to which the risk to the protected health information has been mitigated.
In addition, penalties for noncompliance were increased to a maximum of $1.5 million per violation, one of the many anticipated changes.
Security experts say HIPAA enforcement has increased over the last several years with millions of dollars in fines handed down for HIPAA noncompliance in 2012. Many of the data breaches over the last year can be pinpointed to data exposure via third-party service providers and other business partners.
Protecting patient data is a serious challenge. A study issued in December by the Ponemon Institute surveyed 80 healthcare organizations and found that 94 percent had at least one data breach in the past two years.
The final HIPAA rule update also addresses the marketing of patient healthcare information. It requires healthcare organizations to gain authorization from patients to use their health information for research purposes. It also prohibits "the sale of protected health information without the express written authorization of the individual, as well as the other uses and disclosures for which the rule expressly requires the individual’s authorization."
PUBLISHED JAN. 22, 2013