After a wait of nearly three years, the U.S. Department of Health and Human Service's Office for Civil Rights released the much-anticipated update to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules, also known as the HIPAA omnibus
While some compliance professionals welcomed the release of the new HIPAA regulations for the certainty they will bring, others are railing against what they see as an increased regulatory burden.
Many of the rules contained in the final regulation are familiar. The Office for Civil Rights (OCR) left unchanged large parts of the proposed rule, which was initially released in July 2010. One of the main things to come out of the release is that organizations can now operate with certainty that their privacy and security policies comply with all applicable regulations. "These are the big things we've been talking about for what seems like forever," said Angela Dinh Rose, director of health information management solutions with the American Health Information Management Association. "The industry has been waiting for this for so long that everyone is breathing a sigh of relief."
Organizations in the past might have been trying to do the right thing and still got a negative outcome. Now it makes it much clearer what the right thing is.
chief marketing officer, ID Experts
The new rules put in place more objective standards for assessing a health care provider's liability following a data breach. Rose said this will simplify breach response. Additionally, the new regulations hold business associates (BAs) to the same standards for protecting patient health information as covered entities, which she said is one of the most significant pieces of the regulatory update.
This new regulation regarding BAs could streamline future contract negotiations between health care organizations and service providers that utilize personal health information (PHI). In the past, differences of opinion over the liability of BAs derailed some contract negotiations.
Business associates on the hook
But while the new status of BAs will clarify their responsibilities and liability, it could also lead to compliance difficulties. Many BAs might not realize the new HIPAA regulations apply to them. Those that are aware of their responsibilities could be inexperienced at complying with federal privacy regulations. It might take fines and penalties for health care contractors to familiarize themselves with their new responsibilities.
"When you think about the stream of health contractors who touch health information, I think it's going to clarify who has what obligation," said Doug Pollack, chief marketing officer at ID Experts. "But my guess is that you're going to start seeing some very prominent enforcement action by OCR against business associates as a wake-up call." The OCR has historically declined to pursue fines and penalties against BAs responsible for data breaches because the regulations describing their liability were not clear, he said. BAs now are squarely in the crosshairs of regulators, however, and the OCR has indicated it is eager to pursue investigations against any entity responsible for lost PHI, he added.
Data ownership rules will prove thorny
One rule included in the updated HIPAA regulations indicates that patients who pay cash for medical services, thereby bypassing third-party payers, have greater rights to limit the use of data created by their physician than do patients who pay through an insurance provider. Ali Pabrai, CEO and co-founder of information security company ecfirst Inc., said practices could have difficulty complying with this provision, due to technical limitations.
The problem is that few electronic health record (EHR) systems have the capability to differentiate between data sets on the basis of payment type. Vendors will have to re-engineer systems to give patients who pay in cash better controls on their data. "I think that's an area that EHR vendors would have to go back and see if their products provide the kind of functionality so that their customers would be able to limit access," Pabrai said.
Pabrai doesn't expect vendors to jump on this issue immediately, however. He pointed out that vendors were slow to offer physicians functionality that was mandated by the meaningful use program, such as robust security features. It was only when physicians started demanding these features that vendors added them.
Industry remains divided on HIPAA regulations' impact
Ultimately, the privacy and security professionals interviewed for this article were divided on whether the new HIPAA regulations will primarily be a burden to the industry or will simplify areas that lacked clarity.
Lisa Sotto, head of the global privacy and data security practice at the law firm Hunton and Williams, said the fact that covered entities will likely have to renegotiate BA agreements, combined with the sheer length of the document, makes the HIPAA omnibus something that many organizations will have difficulty complying with on time. "This is going to be a bit of a bear for these entities," she said. "We were all sitting here puzzled at why it hadn't been released, but now that it has, it is monstrous at 563 pages and is a huge amount to wade through."
On the other hand, ID Experts' Pollack sees the rules as eliminating ambiguity. This will make it easier for organizations to develop policies that they know comply with existing regulations and will continue to comply into the future. "Organizations in the past might have been trying to do the right thing and still got a negative outcome," he said. "Now it makes it much clearer what the right thing is, and most organizations will find that it is a little more of a documentation burden, but it's the same documentation burden since the HITECH Act was passed."