HIPAA (1996) and HITECH/ARRA (2009) were further refined by the release of the HIPAA Omnibus Rule (1/25/2013). These regulations coupled with the increased regulatory scrutiny can make compliance difficult and expensive. HHS estimated it will cost companies up to $255.4 million to comply with the Omnibus Rule (Rule)! What will a ¼ of a billion dollars buy? Let’s invest a few minutes to analyze the impact to covered entities (e.g., hospitals, doctors, insurance), their service providers (i.e., business associates or BA), and consumers of healthcare services (i.e., you and I).
So nine cups of coffee and 138 pages later, we have read the Rule. Several things quickly become apparent when reading the Rule: 1) politicians and regulators are verbose 2) downstream recipients of protected health information (PHI), not just covered entities, must comply 3) there is increased pain for noncompliance 4) it might even result in better data protection for consumers.
So what do we get for $255 million?
2) More snail mail. Maybe sending millions of breach notices will help the US Postal Service’s solvency. No one reads these notices either. Even if we did, they tell us after data has been compromised. Once lost, there is no means to pull it back! So take steps to protect yourself, but the data is likely forever lost.
3) Business Associates are directly covered by HIPAA. In other words, downstream service providers who receive PHI must now comply with HIPAA. So they will also feel the pain of noncompliance, specifically regulatory penalties and public humiliation, incremental to their contractual indemnification obligations. Their service providers must comply too.
4) Changes to the entities that PHI may be shared (e.g., schools for immunization) and additional restrictions on use and disclosure of PHI (e.g., sharing for marketing and fundraising).
Covered entities have some work to do by 9/26/2013.
- Update Notice of Privacy Practices (NPP) detailing changes to their information sharing practices.
- Update Business Associates Agreements (i.e., contracts with PHI service providers).
- Some relief for HIPAA compliant contacts to extend the deadline a year.
- Revisit HIPAA program through Rule’s lens, especially important since penalties increase.
- Update risk assessment accordingly and execute.
- Review Incident Response Program and its risk assessment methodology.
- Audit against updated HIPAA program, including vendor management program.
Business Associates have some work to do, again by 9/26/2013.
- Create a business associate agreement for downstream PHI service providers.
- Verify vendor management program has proper due diligence for downstream BAs.
- Update breach response program to notify covered entity “without delay” of a possible PHI breach.
- Update risk assessment and execute.
- Audit against HIPAA program, including any downstream PHI service providers.
Consumers have some homework also, but compelled by self-protection, not regulation.
- Actively manage your PHI, get copies if you feel the data may be inaccurate.
- Read NPP. No, really.
- Select only healthcare providers with information sharing practices in line with your expectations.
- Opt out of HIPAA information sharing, if it makes sense. Opt out of GLBA sharing at your bank also – just for fun.
- Remain diligent in protecting your personally identifiable information (PII); once it’s out thereis no means for retracting.This is not an exhaustive compliance plan, but a good start. HIPAA laid the infrastructure for protecting health information. Subsequent regulatory releases later we have Rule. But let’s be honest, HIPAA was before its time. Consumers didn’t understand or to a large extent show interest in understanding the complexities of the law or how it protects their information. Covered entities typically issued a NPP, but full compliance was elusive for many. Breaches were believed to be high, but often flew under the radar unannounced. Despite consumer ambivalence, HIPAA and subsequent components including Rule are intended to improve the security of sensitive medical information. Everyone needs to actively participate. After all $255.4 million is a lot of money, so ideally we gain something meaningful for the investment.