HIPAA…the consulting gift that keeps on giving. The people I have worked with know well, I’ve been on a crusade to make sure that people don’t misspell HIPAA and put in two P’s instead of only one required. I thought I would use that to my advantage as I need to come up with witty titles each week and decided I might as well make that work for me with my friend the hippo here. It is NOT HIPPA! It’s Health Insurance Portability and Accountability Act or HIPAA (and for those who came in late), was enacted on August 21, 1996, by the United States Congress and signed by President Bill Clinton that same year.
Giving it new life, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights last year announced a final rule (mostly called the Omnibus rule) that implemented a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA. It was primarily created to allow patients better access to their own medical records and also to have their records available to different physicians and care providers.
New, stricter standards have been implemented to the Omnibus rule in order to strengthen patient privacy protections. If your care delivery organization is subject to HIPAA, compliance was required by Sept. 23rd, 2013. Compliance experts are of the opinion that many organizations are not comprehensively aware of the changes that need to be in place in order to comply with the law and are at risk of having to pay heavy fines for not meeting the necessary requirements. For instance, Protected Health Information (or PHI such as names, birth dates, social security numbers, email addresses or medical record numbers) was changed from indefinite to 50 years after death. Increased and more severe penalties also came into force for violations of PHI privacy.
Some of these changes include changes or updates to the Security Rule and Breach Notification portions of the HITECH Act. The biggest changes cover the expansion of requirements that include business associates, where before, only covered entities had originally been required to uphold these particular sections of the law.
In addition, the definition of ‘significant harm’ to an individual in terms of a breach was updated so as to provide more review of covered entities with the intent of disclosing more breaches, which, in prior years, had previously been unreported. Also, previously, an organization needed to prove that harm had occurred whereas now they must prove the opposite; that harm has not occurred due to a breach.
With the new HIPAA Omnibus rule, the focus has been renewed on security and confidentiality along. While care delivery organizations are feeling ‘regulatory compliance fatigue’, in this world of cyber crime and data moving across geographic lines at incredible speeds, the concern is real and breaches occur more often than organizations care to admit. With the increased level of sophisticated technology being used at care provider organizations, the ability to defend against these possible cyber threats are some of the most necessary for today’s technology encompassing, BYOD healthcare ecosystem.