Jan McDavid, General Counsel at HealthPort highlights some of key content in the new HIPAA omnibus final rules healthcare providers should understand.
On January 17, 2013, to much fanfare, HHS released its eagerly anticipated HIPAA omnibus rule, which dramatically amends the HIPAA Privacy, Security, Breach and Enforcement Rules. The effect on healthcare providers and their business associates should not be taken lightly. The new rule goes into effect on March 26, and covered entities and business associates (BAs) are expected to comply by September 23 – not a lot of time to get one’s ducks in a row. Obviously, healthcare providers need to understand the new rule – and the depth of its ramifications – post-haste.
HHS Secretary Kathleen Sebelius made clear the intent of the new rule in an introductory statement:
“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”
She went on to place the new rule in context:
“Much has changed in healthcare since HIPAA was enacted over 15 years ago. The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The impressive document, at 563 pages, proved challenging to decipher. I’ll help you cut to the chase by highlighting some of its key content:
In a nutshell, healthcare providers have lots of work to do. Most immediately, providers need to update their business associate agreement and breach analysis and notification processes.
The notification of breaches also gains importance under the new final rule. With a new study by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association showing that nearly 60% of organizations incurred a data breach within the last twelve months (and nearly 20% suffered multiple breaches), it makes sense for organizations to prepare themselves to react to inevitable breaches. And, as mentioned above, the rule’s expanded definition of “breach” will make breaches more numerous. Breaches are expensive. The same study showed that in 16% of breach occurrences, remediation costs were greater than $50,000. In 3% of occurrences, costs topped $500,000.
The new HIPAA omnibus rule will present challenges on multiple levels to healthcare providers as we all scramble to comply. Communicating requirements succinctly to BAs, updating your breach notification process, and keeping patient data organized and retrievable will go a long way in meeting these new challenges.
Jan P. McDavid, Esq. is the General Counsel and Chief Compliant Officer at HealthPort