Complying with New HIPAA Omnibus Rule
What actions should companies take to ensure compliance with new HIPAA regulations? Tony Munns, member in the risk advisory services practice at Brown Smith Wallace, discusses the steps to take to ensure business associates are held accountable under the new security rule for protected health information (PHI).
Companies are being challenged to protect vast amounts of proprietary and confidential information. And now, many are being held to an even higher standard when it comes to protected health information (PHI).
“The Health Insurance Portability and Accountability Act (HIPAA) has existed since 1996. It’s well established that covered entities — health care providers, benefit plans and clearinghouses — have a responsibility to ensure the privacy and security of PHI. Recently, the rules have been tightened to also cover business associates — organizations with which a covered entity shares PHI. These changes mean that business associates now have to fully comply and be accountable under the HIPAA security rule,” says Tony Munns, member, Risk Advisory Services, at Brown Smith Wallace.
Smart Business spoke with Munns about the final omnibus rule and what actions businesses should take.
What prompted the new rule?
A significant number of data breaches were from business associates who were not as diligent as they should have been, and covered entities were not selecting business associates with the appropriate rigor. A notable example involved an insurance company that had a business associate who was responsible for off-site storage of sensitive data. The business associate was using a garage, which was left unlocked and wasn’t climate-controlled. That contracting choice has led to separate investigations by both California and federal regulators.
What action should companies be taking?
The Department of Health and Human Services said that it’s not sufficient to just have an agreement, there needs to be satisfactory assurance that the business associate can and does follow proper procedure. Entities covered by HIPAA have until Sept. 23, 2013, to update their business associate agreements. Current agreements do not have to be changed until they’re up for renewal, but in any case all agreements have to be updated by Sept. 22, 2014.
What steps should companies take to comply with the legislation?
♦ Understand the new requirements and the impact on the business.
♦ Update business associate agreements.
♦ Apply the satisfactory assurance mandate.
Review existing agreements and perform due diligence to get comfortable with the practices of your business associates. This might involve requesting that audits be performed, such as Statement on Standards for Attestation Engagements No. 16 reports. In the insurance company example, no one examined whether the person contracted to provide off-site storage was capable of providing it to the level expected.
What are other requirements of the final omnibus rule?
The new rule requires that individuals be informed that their information has been breached. Managing breaches is no longer sufficient. Meanwhile, business associates are not required to provide a notice of privacy practices or designate a privacy official; they only need to comply with the general privacy requirements and all security measures, much like covered entities. The definition of a breach was also changed from ‘a significant risk of financial, reputational or other harm to an individual’ to ‘an acquisition, use or disclosure of PHI in a manner not permitted.’ Under the old rule, companies that didn’t believe information was compromised didn’t need to classify it as a breach. Now they have to report the breach, but can apply mitigation to demonstrate there was a low probability of harm.
What are the penalties?
There are four categories:
- Ordinary breaches, such as an error or lost equipment — $100 to $50,000 per violation.
- If reasonable due diligence would have revealed the violation — $1,000 to $50,000 per violation.
- Conscious, intentional failure or reckless indifference, but the breach was corrected — $10,000 to $50,000 per violation.
- Conscious, intentional failure or reckless indifference and the breach was not corrected — $50,000 per violation. For all violations, the cap is $1.5 million.
And there will be more enforcement.●