HIPAA Omnibus Rule Will Bring More Enforcement
April 9, 2013
The HIPAA Privacy and Security final rule — also known as the HIPAA Omnibus Rule — became effective March 26. We predict enforcers will have a heyday with expanded ability to crack down on providers and their business associates.
The biggest difference in the new rule is a change in breach notification. Under the old rule, providers were presumed innocent of harming patients when a breach occurred – until they proved otherwise. Under the new rule, providers are presumed guilty of harming patients when data is breached. They will have to prove their innocence.
Providers and their vendors and subcontractors have “in theory,” 180 days to comply before the Office for Civil Rights begins enforcement of the Omnibus Rule, beginning Sept. 23, 2013. But this doesn’t mean providers shouldn’t beware. They still will be held accountable under the old HIPAA rules until then.
The addition of business associates under the Omnibus rule could catch some companies and providers unaware and unprepared.
The Office for Civil Rights (OCR) has already prosecuted five covered entities, with the settlements ranging from $50,000 to $1.7 million. The smallest OCR enforcement action involved the breach of fewer than 500 records. These actions clearly indicates that is putting out the message that they are serious about enforcement. They are going after both small and large breach cases.
He said he had received emails from OCR indicating the agency is starting to hire enforcement officials. “There’s going to be a lot of enforcement going forward,” he says.
So how can covered entities prepare? For starters, small provider groups, short on resources, can rely on parent organizations or even government programs to help them do risk analysis. This fact should not be taken lightly. The main reason covered entities ran into big problems with OCR last year was due to inadequate monitoring and the failure to perform risk assessments. Providers should identify all of their vendors with access to protected health information (PHI) and ensure they are protecting it according to the new HIPAA rule.
In addition, a best practice for all covered entities is to create a visual map of their PHI data and understand where it resides. Also encrypt data in laptops and determine if data might best be kept safer in a centralized location. It is also a sound compliance practice to dramatically minimize the use of flash drives to store PHI data and never loose sight of the fact that PCs and servers are also vulnerable to breaches.