Strange as it may seem, the Omnibus Rule updating the Health Insurance Portability and Accountability Act (HIPAA) is going on two years old, and it seems there is still a fair amount of confusion as to what the guidelines all mean and how they apply to outsourced and cloud-based data infrastructure.
The rule covers a plethora of topics – everything from broader patient privacy protections to new ways in which compliance is monitored and enforced. But with healthcare-related data loads on the rise, it’s no wonder many organizations are still struggling to maintain compliance and provide top-notch customer service.
Here is a quick-study guide to HIPAA compliance in light of the Omnibus Rule guidelines.
To start with, patients now have the right to an electronic copy of their medical records coupled with the right not to disclose certain information to third parties, such as insurance companies and other medical providers. This increases the burden on healthcare providers to not only enable prompt access to patient data, but to continuously manage the reams of metadata that informs healthcare professionals and automated systems alike on the rules governing access and use of that data.
The very collection of data is becoming more complex as well. For example, if the patient pays for a treatment in cash, they have the right not to disclose the service, even to their own insurance company. So that means healthcare providers have to note not only what the patient paid and the service provided, but also the method of payment. This may not sound like a big deal, but multiplied over thousands of patients and added to the myriad of other reporting requirements contained in the Omnibus Rule, the data load for even relatively small enterprises will quickly mount.
At the same time, parents now have an easier time sharing their children’s health information with schools and other entities. This means the provider not only needs to store greater amounts of data, but must also ensure it is available and retrievable in a timely manner.
One of the more significant changes is the formalization of the cloud or managed service provider as a “business associate” rather than a mere contractor. This locks in place a more formal legal environment in which the IT service provider assumes greater responsibility for securing electronic protected health information (ePHI) to assist the healthcare covered entity – i.e. healthcare provider, health plan, or healthcare clearinghouse – to maintain HIPAA compliance. And along with that, the IT service provider also assumes greater liability should something go wrong.
Of course, all of this will tend to complicate the relationship between healthcare covered entities and their IT service providers. It will require more detailed service contracts, part of which should cover the Breach Notification Rule which spells out exactly when and how patients are to be informed if their personal health records have been compromised. And if the breach affects more than 500 patients, there are rules for informing the media as well.
And that liability is a lot steeper than it was under the old rules. Penalties can now hit $1.5 million per violation, and there is an entirely new violation structure with new categories and definitions that can be used to assess the level, and thus the dollar amount of the penalty. These range from reasonable lapses in compliance that can generate fines as low as $100 per occurrence, all the way to repeated willful neglect, which could hit you with the full $1.5 million. And that is just on the civil side. If the court determines criminal negligence or intent, particularly if there is an intent to sell or otherwise gain financially from breached information, the accused could face up to 10 years in federal prison.
Taking all of the risks into account, there are clear reasons to be vigilant when it comes to HIPAA auditing and certification – both for the healthcare covered entity and the IT service provider partner. The Health and Human Services Department has issued an audit protocol that covers topics such as Privacy Rule and Breach Notification Rule requirements, as well as various management and security processes. One rule of thumb: be wary of providers claiming to be “HIPAA-ready” or “HIPAA-certified”; look for “HIPAA-audited” or “HIPAA-compliant” instead, and then make sure they have passed an independent examination by an authorized HIPAA protocol auditor.
In this age of data portability and software-defined infrastructure, one mistake many organizations make when it comes to HIPAA and other regulatory burdens is to assume that compliance is simply a matter of implementing the proper security tools to prevent disclosure of protected health information (PHI) and automated reporting tools to catch breaches before they get out of hand. While these are important, a complete strategy must encompass more than just technology. It should include business processes and strategies and even the corporate culture itself. Remember, technology is only as good as the people who run it.
An additional note – although HIPAA may be a complicated regulation to fully grasp, there are a number of free web resources to help guide you through the myths and reality: