What To Expect With HIPAA Omnibus Rule Enforcement
October 8, 2013
Although the long anticipated Sept. 23 enforcement date for the HIPAA Omnibus Rule has arrived, many healthcare information security experts don’t anticipate an immediate surge in crackdowns on those who are not in compliance.
There is strong reason to believe that there will not be a ‘big bang’ enforcement effort on and after Sept. 24, but covered entities and business associates should be prepared nevertheless. There is a good chance medical organizations could fly under the radar, but is it really worth it for covered entities to take that chance?”
Here’s what Rachel Seeger, a spokesperson for the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, has to say: “For OCR, September 23 is business as usual as we have not paused in our enforcement efforts. We will, however, begin looking at investigations in a post-Omnibus era with a new lens with respect to compliance responsibilities of covered entities and now business associate liability.”
Seeger doesn’t offer specifics about the intensity of the enforcement effort, other than to note: “Like many covered entities and business associates, OCR has been busy training staff across the country on the various rule changes.”
She also points out, however, that OCR will resume its HIPAA compliance audit program sometime in fiscal year 2014, which begins Oct. 1. And those audits will cover business associates as well as covered entities. “We will make an announcement once we are ready to resume these activities, so stay tuned,” she says.
Key Changes
Key provisions of HIPAA Omnibus include:
- Making business associates and their subcontractors directly liable for HIPAA compliance;
- Adding more detailed guidelines for how to determine if a breach must be reported to authorities and individuals affected;
- Expanding individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket;
- Strengthening the limitations on the use and disclosure of protected health information for marketing and fundraising purposes and prohibiting the sale of PHI without individual authorization;
- Requiring modifications to, and redistribution of, a covered entity’s notices of privacy practices;
- Enhancing the enforcement rule, including adding provisions addressing enforcement of noncompliance with the HIPAA rules due to willful neglect and incorporating the increased civil monetary penalty structure required under the HITECH Act (with penalties as high as $1.5 million per violation).
- Clarifying that using genetic information for insurance underwriting purposes is a privacy violation under HIPAA, as well as discriminatory under the Genetic Information Non-Discrimination Act.
Enforcement Expectations
In addition to Borten, other healthcare information security specialists interviewed by Information Security Media Group also don’t anticipate an immediate crackdown on HIPAA violators as a result of the enforcement deadline.
Those who work at organizations that have been diligent in their efforts shouldn’t be too worried about ramped-up enforcement, says John Houston, vice president and privacy and information security officer of the University of Pittsburgh Medical Center.
“I do not expect to see any particular change on Sept. 23,” he says. “Obviously, OCR will start to enforce the new rules. But, I don’t believe Sept. 23 opens the floodgate for a new level of enforcement.”
Christopher Paidhrin, security administration manager in the information security technology division of PeaceHealth, a delivery system in the Pacific Northwest, says: “What is likely to happen are more breaches [reported], higher fines and greater awareness of the cost for non-compliance. The consequences for healthcare are increasing, so the responsiveness will rapidly improve. No one likes to be front page news, when it comes to fines.”
Breach Notification
Others join Paidhrin in predicting that the new rule’s expanded breach notification guidance will lead to more breaches being reported. That’s because once the rule is enforced, regulators will be looking at how organizations assess incidents for breach notification.
Under HIPAA Omnibus, the standard for breach notification has shifted from assessing whether an incident is likely to result in a significant risk of financial, reputational or other “harm” for an individual to a more objective assumption that an incident is a reportable breach unless there is a low probability the data was compromised, says Deven McGraw, director of the health privacy project at the Center of Democracy & Technology.
“I believe that there will be substantially more breaches reported, due to the way that HIPAA now requires that we assess potential breaches,” says UPMC’s Houston.
With the elimination of the harm standard, “There will be many more breach notifications, but with less of a relationship to the actual risk of identity theft to patients,” says Tom August, director of information security at Sharp HealthCare, a California-based integrated delivery system.
Lending a Helping Hand
In recent weeks, OCR has released a variety of guides to understanding HIPAA Omnibus.
For example, OCR offered two new YouTube videos aimed at helping business associates and covered entities as well as patients better understand HIPAA Omnibus.
Click here to view OCR YouTube videos.
OCR also has released three model notices of privacy practices that covered entities can use in refining their notices to reflect new consumer rights under HIPAA Omnibus, such as the right to obtain an electronic copy of their records.
And on Sept. 19, OCR issued additional guidance on several provisions of HIPAA Omnibus regarding communications to patients related to prescription refills; the disclosure of student immunization records; and the release of health information about deceased individuals.
Click here to access OCR resources.