New, stricter standards have been implemented to the Final Health Insurance Portability and Accountability Act Omnibus to strengthen patient privacy protections. For those subject to HIPAA, compliance was required by Sept. 23, but one security compliance expert says many organizations are not fully aware of the changes and are at risk of having to pay hefty fees for not meeting those requirements.
Enacted in 1996, HIPAA was created to allow patients better access to their medical records and to have patients' records available to different doctors. In 2009, more regulations were implemented as the need for security and privacy of electronic patient data increased, said Chris Tyrrell, compliance practice lead for Conventus, a security and compliance solution provider.
"HIPAA was first introduced with very little teeth. If somebody failed to meet requirements, people weren't doing much about it," said Tyrrell. "In 2009, they realized they needed the regulations to have some teeth, and today the new Omnibus Rule strengthens the changes to security."
Under its new rules, healthcare providers, covered entities and business associates will have to be more responsible and aware when it comes to private patient health information, said Tyrrell.
"These changes are important in providing private citizens and individuals with the trust that their healthcare organization is not going to be distributing their personally identifying information," said Tyrrell. "The Omnibus Rule [holds] covered entities, and also business associates, accountable if there is a breach. "
In an effort to secure confidential information, the Omnibus Rule will now impose more penalties for those that put protected health information (PHI) at risk. According to Tyrrell, the Rule has four tiers, each with its own set of consequences if an organization fails to meet HIPAA responsibilities. The higher the level, the higher the fine is, which can be as low as $1,000 and as high as $1.5 million per violation, said Tyrrell.
Another new element to the Omnibus Rule is the inclusion of breach notifications, a regulation that is now more stringent and raises the level of expectations, said Tyrrell.
"The only time you had to notify a patient was if there was a serious risk of financial reputation," said Tyrrell. "With this new rule, it is the opposite. Unless the entity can prove there is not a significant risk, the patient needs to be notified."
In addition to being acquainted with the new regulations, all business associates should be formerly notified about the new changes, said Tyrrell.
"You want to identify all your business associates and those that you delegate, if they fall under the new definition," said Tyrrell. "Create business associate agreements and have contracts that spells out everybody's responsibility and have them currently up to date."
When adjusting to the changes and staying compliant, Tyrrell advises healthcare providers and covered entities to be familiar with the Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Information Trust Alliance (HITRUST), and Notice of Private Practices (NPP). Staff should also be re-trained to react to new management procedures, said Tyrrell.
"From a compliant standpoint, you're making sure there are the right notifications and making sure staff is aware of procedures in accessing and utilizing this PHI," said Tyrrell. "While most people focus on IT on compliance, there are more elements to it. Companies must be diligent, document and understand what is going on."
PUBLISHED SEPT. 27, 2013