Well, it is probably not quite game-changing yet, or people would be talking about it more. But the Omnibus Rule (PDF) that updated the Health Insurance Portability and Accountability Act (HIPAA) has the potential to be a game changer because of the things it says in writing, as well as some of the things that it doesn’t say.
HIPAA was ahead of its time by defining regulations not only to enable better use of electronic records, but to improve both privacy and security of protected healthcare information (PHI). The Health Information Technology for Economic and Clinical Health (HITECH) Act made considerable changes to HIPAA. In terms that security geeks care about, like security and privacy, HITECH added better definition of fines, and better enabled enforcement, along with laying out definitions for “willful neglect”. HITECH’s additions for unauthorized uses and breach notification were significant changes and enhancements, as was guidance that Business Associates had some direct responsibilities to safeguard PHI (under HIPAA, this responsibility was primarily passed to a BA under terms of their contract). But by now, HIPAA is “old news” and HITECH is getting there.
Does the recently passed HIPAA Omnibus Rule really change things? We don’t know yet, partially because so much counts on how the rule will be enforced, but it has the potential to.
The obvious question is “what is so profound about the Omnibus Rule?” Realistically, the Omnibus Rule includes many more things than are included here, and some of those things may have substantive impacts on healthcare organizations. But I am a security geek, not a healthcare practitioner, so these are the updates that, as a security geek, I consider the most likely to be “game changers”.
September 23, 2013
The general deadline for compliance with the Omnibus Rule is September 23, 2013. This should not be a terrible surprise for anyone who has been reading HITECH, the interim rule, and associated updates, but this is ONLY a little over three months away from the time of this article. Security is often as much about organizational culture as it about technical controls, and organizational culture does not evolve overnight. In the world of integrating requirements into your security program that is no time at all. In other words, you should already be started or you may very well be too late.
Enhanced Patient Privacy
There are numerous updates to patient privacy requirements. To simplify, the Omnibus Rule expands patient rights and notification requirements. The point is that there are changes from the interim rules, so a healthcare organization needs to update their privacy policies and notifications in meaningful ways.
Business Associate Responsibility
Under HIPAA, BAs were pretty much obligated to do the things they had promised to their Covered Entities (CEs) in contractual language. In practical terms, if it was not in the contract, you did not “have” to do it. Under HITECH, BAs became responsible to directly meet the requirements of HIPAA and other pieces of HITECH. With the Omnibus Rule, BAs and any subcontractors who have access to PHI are directly liable for compliance with the HIPAA Security and Privacy rules. In fact, the same is true of subcontractors and vendors of the BA. Just as the CE absorbs responsibility to ensure that the BA has an appropriate security program, the BA now absorbs responsibility to make sure that subcontractors and vendors have appropriate security programs. Everyone in the chain can now be audited and assessed civil and criminal penalties for violations. And this is regardless of any contractual agreements that they may already have in place. The fact that a BA is truly responsible for HIPAA and HITECH compliance is not completely new, since it was in the interim rules, but BAs should pay heed to the fact that their requirements have now been formalized in the final Omnibus Rule.
CEs are also now required to get proof from the BAs that the BA is taking appropriate action to protect PHI, just as the BA is required to get this proof from any subcontractors. Previously, the CE and the BA could rely on their contractual language to isolate themselves from any liability for lack of performance. This is no longer the case. It is now incumbent on the CE to know whether or not the BA is behaving. If the CE does not have this proof, and the BA gets popped, the CE is no longer able to isolate their selves from liability by pointing to the BA.
This, in turn, means that the BA (and any subcontractors) is truly responsible for building and managing a HIPAA/HITECH compliant security program. And that they have to be able to produce the information than can serve as proof that they indeed have such a program. The most important element here is not just that the organizations must be HIPAA/HITECH compliant, but that their compliance programs must be able to produce enough documentation and other information that the organization can prove that they are compliant. That “proving compliance” part of the equation has historically been one of the most difficult parts of a security program, but under the Omnibus Rule it must be an integral part.
Investigation Guidelines
Guidelines for investigations have changed in a couple places. While they are not earth shattering updates, when you look at the exact intent of the changes, they can be significant.
First, the way that a CE or BA can look at the potential loss of PHI has changed. Previously, if the CE or BA had reasonable expectation that any improperly disclosed PHI had NOT been accessed, they did not have to do additional investigation, and did not have to report that improper disclosure. This was more of an “innocent until proven guilty” point-of-view. Under the Omnibus Rule, the unauthorized use or disclosure of PHI is assumed to be a breach unless the CE or BA can demonstrate that there is a low probability that the PHI has been compromised. A CE or BA must now take action as if this unauthorized disclosure is a breach until they can prove otherwise. The CE or BA is now “guilty until proven innocent”; a small difference that can have a big impact on how they handle improper disclosures. This is also one of those “HIPAA compliance documentation” moments that must be properly documented as part of the organization’s HIPAA program – so retaining the proof that a disclosure was not a breach is a formal process.
Second, under HIPAA and HITECH, there was some discretion on what actions HHS could take when seeing “willful neglect”. Under the Omnibus Rule, if HHS review reveals even the possibility of willful neglect they are required to initiate a formal investigation.
Penalty Guidelines
The Omnibus Rule update for penalty caps is actually a big one. The fun part for CEs and BAs is that the Omnibus Rule is essentially silent on penalty caps for violations. HITECH had language that seemed to limit the total fines that could be assessed, but the language has changed for the Omnibus Rule. The Omnibus Rule basically states that the business may be assessed civil penalties up to $1.5 million for all violations of an identical HIPAA requirement in a calendar year. A CE or BA can be assessed additional penalties in the event of “willful neglect”. That CE or BA can also be assessed additional civil penalties for violations that are not “identical”. The effect has huge potential impact that should be scaring healthcare institutions across the country. If a Health and Human Services auditor finds a significant violation, the CE or BA can be assessed up to $1.5 million in civil penalties for that one specific type of violation. If the auditors find a second violation, the CE or BA can be assessed up to ANOTHER $1.5 million for that one. And so on. Technically, the ultimate penalty is at the discretion of the HHS, so repeat after me – THERE IS EFFECTIVELY NO PENALTY CAP!
Realistically, HHS wants organizations to comply, not go out of business, so I expect we would all be surprised if we see a $millions fine, BUT we should also not be too surprised if we see someone “taught a lesson” to help motivate compliance in other organizations.
If I were a healthcare professional, instead of a security geek, I would really hate to be that lesson.
