Updated rules to the Health Insurance Portability and Accountability Act (HIPAA) expand the legal responsibilities of third-party organizations handling protected health information.
On Monday, the compliance grace period ended for the HIPAA Omnibus Rule (PDF), which formalized many of the statutory changes already made in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). The changes took effect in March, but organizations have had the past six months to update their business practices to remain in compliance.
Amendments include measures that legally require “business associates” of covered entities to comply with security and privacy measures enforced by HIPAA, like breach notifications.
In addition, the updated rules expands the definition of a business associate so that any subcontractor that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered HIPAA-entity, must comply. Health information organizations, e-prescribing gateways and other organizations that provide data transmission services for covered entities, were also designated as "business associates" that must comply with HIPAA.
In an interview with SCMagazine.com, Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS), addressed the significance of the new HIPAA rules.
“The definition has been broadened,” Kim said of business associates. “You could be considered a business associate if you are a data storage company, or even if your access to protected health information is infrequent,” she continued, later adding, that anyone who maintains or has access to PHI is “on the hook.”
Other major amendments to the security rule, include restrictions on how covered entities can market or sell PHI, namely, that organizations must obtain prior written authorization from patients in order to contact them about non-health related services or products, or share that information with a third party for marketing purposes, Kim shared.
Still, businesses just coming into the fold, which must now comply with HIPAA, will likely feel the biggest impact as a result of the changes.
Mahmood Sher-Jan, vice president of product management at ID Experts, a data breach prevention and response firm which consults with HIPAA-covered entities on remaining compliant, told SCMagazine.com that, before, business associates' main concerns where upholding their contracts with covered organizations, like hospitals or insurers.
Their level of accountability has now grown, he explained.
“Before, they only had to comply contractually," Sher-Jan said of specific contracts between covered entities and third party companies accessing patient data. "Now legally they have to comply. [Under HIPAA] they could be audited, they could be found negligent or fined,” he said.