By now you are aware that the much anticipated final ruling from the Department of Health and Human Services (HHS) regarding regulations implementing the security, privacy, and data breach notification provisions of the HITECH Act were released on January 17, 2013. The HHS’s hope in issuing this final rule is to strengthen the data and security protection for individuals’ health information. This ruling finalizes an interim modified HIPAA Breach Notification Rule, which has been in effect since 2009. The new regulations tafe effect on March 26, 2013 but medical organizations and their business associates have until September 23 to fully comply. Here are some key changes made by the final ruling:
- Expanded “Business Associate” Definition: The definition now includes any entity that facilitates data transmission such as health information organizations, subcontractors and vendors of personal health records. Business associates are now directly liable under the Security Rule and various provisions of the Privacy Rule.
- Security and Privacy Rules Amendments: More extensive notices of privacy practices are now required and there are stricter limitations on the use of protected health information for fundraising and marketing activities. In addition, individuals’ rights to obtain electronic copies of their health records have been expanded.
- Amending the Definition of “Breach”: In finalizing the Breach Notification Rule, a data breach is now defined to have occurred if there has been any unauthorized acquisition, access, use, or disclosure of protected health information (PHI) unless it can be proved that the likelihood that the PHI has been compromised is low.
- Enforcement Rule Amendments: Penalties for violations increased and less affirmative defenses are acceptable. The maximum penalty for a HIPAA violation is now $50,000 per violation and $1.5 million for multiple identical violations. In the past, a medical entity’s reasonable lack of knowledge of a violation constituted an affirmative defense, but under the new rules, this is no longer accepted. An entity can claim a complete defense only if the violation was not due to willful neglect and corrected within thirty days of when the violation was discovered by the entity.
Last year, HHS executed a pilot program of auditing various medical organizations and their compliance with the HIPAA Rules. HHS plans to continue the HITECH-mandated audit program through 2013 and perhaps will consider extending to 2014 focusing on how well medical entities monitor their employees’ management of PHI. In the past, medical personnel’s improper handling of health records led to a number of medical data breaches resulting in substantial penalties.
This final ruling encompasses mandates by the HITECH Act with an aggressive enforcement policy and significant new burdens on medical organizations and their business associates. It would be wise if entities that handle HIPAA-protected information seek professional counsel and services to ensure they comply with the new regulations or risk the severe new fines.