After years of anxiety across healthcare and other industries, the US Department of Health and Human Services (HHS) just released the Health Information Technology for Economic and Clinical Health (HITECH) modifications to the fifteen-year-old Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations.
Dubbed the most sweeping changes since HIPPA was first implemented, the new rules will strongly affect any third-party organization that stores or manages patient health records or supports workflow processes relating to them. It will go into effect on March 26, 2013, with a compliance date of September 21, 2013.
Among the many changes across the 563-page omnibus rule is the combination of what are actually four final rules, in an attempt to “reduce the impact and number of times certain compliance activities need to be undertaken by the regulated entities.” These are, in a nutshell:
- Modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by the HITECH Act, which were issued as a proposed rule in July 2010.
- Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil monetary penalty structure delineated by HITECH, which was originally published as an interim final rule in October 2009.
- A final rule on Breach Notification for Unsecured Protected Health Information under HITECH, which replaces the old “harm threshold” and supersedes the interim final rule published in August 2009.
- A final rule changing the HIPAA Privacy Rule to align it with the Genetic Information Nondiscrimination Act (GINA), which prohibits most health plans from using or disclosing genetic information for underwriting purposes (published as a proposed rule in October 2009).
A number of changes under the new final rule will directly affect third-party IT providers and other third-party service providers to the Healthcare industry. Perhaps most significantly, the new rules expand HIPAA requirements to include “business associates of healthcare providers, health plans and other entities that receive protected health information, such as contractors and subcontractors. That is, “business associates of covered entities are directly liable for compliance” with certain requirements.
Other key changes that will affect Healthcare service providers as well as the entire Healthcare provider sector relate to breaches of healthcare data. Since some of the largest breaches of PII ever reported have involved third parties, penalties are increased for noncompliance by third parties based on the level of negligence, up to a maximum of $1.5 million per violation. The new rule also strengthens the HITECH breach notification requirements by clarifying exactly when healthcare data breaches must be reported to HHS.
Not surprisingly, IT leaders view the new regulations as a further regulatory challenge. Healthcare providers and the vendors that serve them already are challenged to balance “protection with sharing” in addressing both HIPAA compliance and HITECH regulations.
For more information
- Here is the news release announcement of the new rule by HHS: click here.
- Here is the rule in its entirety in PDF format: click here.
- And there’s also a new HealthIT.gov website on Privacy & Security Policy: click here.
ISO 27001 Consulting
It is the ability to certify the operation of an Information Security Management System (ISMS) that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program. Pivot Point Security can help your business achieve ISO 27001 certification. See how we can help.