In a long-awaited announcement, the Department of Health and Human Services this week said it made the “most sweeping” changes to the Health Insurance Portability and Accountability Act (HIPAA) since it was first passed in 1996.
The previous HIPAA rules applied to healthcare providers, doctors and insurance companies. But under the new rules, their “business associates” – contractors or service providers – also have direct specific compliance obligations, said Kirk Nahra, a partner at Washington, D.C.-based Wiley Rein LLP who specializes in health care. That could include electronic health record companies, telehealth companies and others that contract with hospitals or insurance companies.
Even though the ruling has been expected for some time, companies in the industry are all over the map when it comes to being prepared. Some have the security infrastructure, policies and documentation in place, he said, but others have a ways to go before being in compliance. Although the act goes into effect in March, companies don’t need to be compliant until September.
To meet the new standards of the law, Nahra said, companies may need to evaluate the extent to which they encrypt data, train all employees on privacy and security, develop appropriate procedures for the disposal of information, designate a security official and implement appropriate contracts with subcontractors, among other tasks.
The report itself is not for the feint of heart – it clocks in at 563 pages. But anyone in the business of health care information will want to be aware of the changes they contain.
“They need to consider whom they are doing business with, how they will obtain information from those in the circle, whether they can sell their product to enough people without getting into the circle and how to build sufficient confidence with these other entities (and consumers),” Nahra added.
As digital technology changes how patient information is collected and stored, and how quickly it can be moved and compromised, the new rules attempt to strengthen safeguards and expand the pool of parties held to the highest security and privacy requirements.
For example, they raise the maximum penalty for negligence, strengthen data breach notification requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act and provide new requirements on how patient information can be used for fundraising and marketing.
“It’s a big deal,” said Nahra. “The government hasn’t been incredibly aggressive about enforcing it, but they’re getting more aggressive.”
Image by Chad McDermott via Shutterstock.