Share

Related Stories

  • US government two years' overdue on Medicare drug data privacy rules
    The Department of Health and Human Services (HHS) is more than two years’ overdue in issuing guidance to healthcare organizations regarding protecting Medicare patients’ prescription drug information when used for purposes other than providing clinical care, the Government Accountability Office (GAO) found.
  • HHS fines Phoenix Cardiac Surgery $100,000 for HIPAA violations
    The US Department of Health and Human Services (HHS) has fined Phoenix Cardiac Surgery $100,000 for posting clinical and surgical appointments for its patients on a publicly available calendar, as well as for other violations of Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
  • HHS fines Blue Cross of Tennessee for theft of 57 hard drives
    The US Department of Health and Human Services (HHS) is fining Blue Cross Blue Shield of Tennessee $1.5 million related to the 2009 theft of 57 unencrypted computer hard drives containing protected health information on over one million patients.
  • More than 7.8 million people were victims of healthcare data breaches, says HHS
    More than 7.8 million people had their healthcare information compromised in 252 major data breaches during a 15-month period in 2009 and 2010, according to a recent report to Congress by the Department of Health and Human Services (HHS).
  • HHS to give patients right to see who has accessed their records
    The Department of Health and Human Services (HHS) has proposed that the Health Insurance Portability and Accountability (HIPAA) privacy rule be amended to allow a patient to receive a report on individuals and organizations that have accessed his or her electronic medical records.

Top 5 Stories

News

HHS requires business partners to comply with new health privacy rules

22 January 2013

A new set of rules that increases security and privacy requirements for hospitals, other health care providers and health plans has been released by the US Department of Health and Human Services (HHS).

From a data breach perspective, the rules now require "business associates" of health care entities to also comply with security and privacy regulations, and raises penalties for noncompliance based on the level of negligence to a maximum penalty of $1.5 million per violation.

Business associates and their subcontractors were not subject to the privacy and security rules in the Health Insurance Portability and Accountability Act (HIPAA) when it first became law in 1996. But now, data processing firms, law and accounting firms, IT consultants, cloud computing providers, billing centers and others will need to comply with many of HIPAA's requirements.

In fact, research from Online Tech shows that 62% of HIPAA breaches are business associate-related.

The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

According to the rulemaking, the risk assessment has been modified “to focus more objectively on the risk that the protected health information has been compromised. Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule.”

The final rule is effective March 26, and covered entities and business associates must comply with the applicable requirements of this final rule by Sept. 23. The HHS is prepared to administer penalties for failure to do so, it said.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez, in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

IT blogger Thu Pham noted that business associates have already been in the cross-hairs, legally speaking. Minnesota’s Attorney General is suing Accretive Health over an unencrypted data breach incident that occurred last year when a laptop containing 23,500 patient records was stolen from the business associate’s car. Accretive Health is a licensed debt collector that also provides a patient analysis service for hospitals.

“Part of the reason why they were targeted may be linked to further complexity of the case – not only did Accretive Health suffer from a data breach, but the lawsuit claims they were also accessing and using patient data without the knowledge or consent of patients,” Pham said. “One of their services provided the probability of a patient’s hospital admittance and their calculated potential financial worth to the patient’s healthcare provider, all based on perceived risk factors from their personal health information, according to the claim.”

Another major HIPAA violation case involving a business associate was the Department of Defense’s military healthcare program, in which a contractor employee left an unencrypted laptop in their car and it was stolen. About 4.9 million patients were affected. A lawsuit was filed by a few of the affected patients, and in the claim, they indicated the need for all contractor employees to be properly trained in how to handle personal health information.

Companies need to start preparing now, according to W. Reece Hirsch and Heather Deixler, both attorneys with Morgan Lewis & Bockius.

“Business associates should prepare for compliance with new HIPAA obligations on September 23, including implementation of a Security Rule compliance program,” they advised. “Covered entities should also begin conforming their HIPAA compliance programs to reflect the new requirements of the Final Rule, including updating and redistributing notices of privacy practices and amending business associate agreements.

The HHS said that the final omnibus rule in general enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. For instance, patients can ask for a copy of their electronic medical record in an electronic form, and, when individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule also sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius, in a statement. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

This article is featured in:
Compliance and Policy  •  Data Loss  •  Identity and Access Management  •  Industry News  •  Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×