HIPAA got tougher in September

More-stringent-than-ever HIPAA Omnibus Rule
By Erin McCann
12:00 AM

Leon Rodriguez, director of the Office for Civil Rights at the U.S. Department of Health & Human Services, represents the face of the more-stringent-than-ever HIPAA Omnibus Rule.

The new rule, which took effect Sept. 23, promises to bring hefty fines, more audits and added enforcement for those grossly failing to protect patients’ protected health information.

In reality, however, although Rodriguez has affirmed that organizations will indeed be held accountable for violating HIPAA privacy and security rules, he has also proved himself to be industry-conscious, practical and fair.

Of the some 80,000 HIPAA breach cases OCR has received since 2003, only 16 of those have resulted in fines, Rodriguez pointed out in an interview with Healthcare IT News.

“It’s a relatively small part of what we do here,” he said. Most cases OCR handles involve corrective action rather than monetary fines.

Don’t let that cloud your judgment or start shirking your privacy and security obligations, however. Fines imposed on organizations that grossly violate HIPAA privacy and security rules are now on the upward trend, says Rodriguez, and that’s most likely going to continue.

“It’s going to continue to be a small but very important part of the story,” he said. “I think it’s important because it very powerfully articulates what our expectations are for covered entities, what risk analysis steps, what training steps, what disciplinary steps, what safeguard steps we expect of them.”

And although an official and permanent audit program is not yet fully established – and most likely won’t be until 2014 – breach investigations are, as some organizations can attest to, at full force.  

What’s new?

One of the first changes to note in the final rules pertains to the very definition of breach. The interim rule originally stipulated that a breach compromised the security or privacy of protected health information and posed significant risk of financial, reputational or other harm to an individual – often called the harm standard.

In the Omnibus final rule, not only was the harm standard removed but also a breach is now defined as “impermissible use or disclosure of PHI is presumed to be breached unless an entity demonstrates and documents low probability PHI was compromised.”

“There are two changes there,” said Robert Belfort, healthcare attorney at Manatt, Phelps & Phillips, in an interview with Government Health IT earlier this year. “First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”

Also among the most significant changes in the final rule is that business associates are now accountable for violating specific privacy and security rules.
This should have come as no surprise to BAs, said Rodriguez. “We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations,” he said.