Eye on Privacy: Does the New HIPAA Rule Apply to You?
On Jan. 17, 2013, the U.S. Department of Health and Human Services (HHS) announced a final omnibus rule amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with the HITECH Act of 2009. If you are a Covered Entity (CE) who has been dealing with HIPAA for years, you probably already know the implications of the new rule.
For those of you who are Business Associates (providing services to a CE) under HIPAA, and more importantly, anyone providing services to hospitals, health insurance companies, pharmacies and other health-related businesses as a subcontractor to a Business Associate (BA), this overview is for you.
There are two areas that are of particular interest to business associates. Until now, a BA was obligated to process and protect Protected Health Information (PHI) based upon requirements stated in the Business Associate Agreement (BAA) in place with the CE. Under the new rule, BAs are directly liable for protection of PHI and are treated like a CE in the areas of data breach reporting and penalties and in managing their subcontractors that create, receive, maintain or transmit PHI on their behalf.
Previously, Business Associates were required through BAAs to report any data breach to the CE. The CE, in turn, investigated the potential breach, determined if an actual breach occurred, reported the breach to the Office of Civil Rights (OCR) and sent notification letters to the individuals.
Now BAs are responsible for performing their own risk assessments, notification to OCR, and notification to individuals. The method of determining if a breach has occurred has moved from a "harm threshold" to a "low probability" standard. And while HHS believes the new four-factor risk assessment requirement will be more objective, it will certainly result in more breaches.
Your best protection to prevent a breach is to employ encryption and destruction protocols that limit your exposure. The loss of PHI that is considered to be "secured" will not be considered a breach.