HIPAA Omnibus Rule Takes Effect; Now What?

09.27.13
Albert Ahdoot

HIPAA updates are in full effect. Get the facts you need to know before it’s too late!

On September 23rd, new guidelines for the HIPAA (Health Insurance Portability and Accountability Act) Omnibus rule went into effect, extending compliance to hold 3 party entities (or anyone officially involved) in the handling of protected health information (PHI) fully accountable for any breach that may take place.

Changes to HIPAA audits were originally announced on March 26, 2013; data centers, cloud and hosting providers are forced to comply or face stiff fines if failure to do so.

Subcontractor Liability

Any business associate, subcontractor or entity that handles, transmits or stores protected health information (PHI) must adhere to the final guidelines of the HIPAA omnibus rule.

Previously, HIPAA guidelines were restricted to include those who directly handled confidential patient data or PHI and not third party subcontractors.

HIPAA compliant data centers and secure hosting providers must now enter into an official business associate agreement (“BAA”) ensuring all entities are in compliance with the new HIPAA mandates. Business associates, regardless of their role within a vendor’s organization are responsible for the following:

Disclosure: failure to disclose protected health information (PHI) or failure to prove that proper accounting methods are in place within a vendor chain will result in civil penalties. Notification: If a breach does occur vendors must notify those who have entered into an official “BAA”.   Business Associate Agreements: Anyone who fails to enter into an official BAA with third party contractors. Access to PHI: hosting providers must provide copies of PHI to owners of electronic data.

Privacy Rights Explained

Protected health information (PHI) is federally protected under HIPAA compliance rules, which are updated to protect consumers, business associates and hosting providers by implementing a system of checks and balances with regards to how PHI is accessed, transmitted, transcribed or disclosed. In layman’s terms, HIPAA compliance audits make sure confidential patient data is handled with integrity and confidentiality.

The Office for Civil Rights (OCR) announced a delay in enforcement policies on September 19, 2013, ensuring that specific HIPAA laboratories have time to update their notices of privacy practices; however, the OCR did not stipulate how long these aforementioned laboratories have to comply with the new regulations. IT health publications have addressed the concerns of patients and developers alike by debunking specific HIPAA omnibus myths:

HIPAA Myths

– Health Information is Automatically Secure: unless laptops and transmitted data are encrypted PHI is subject to malicious attacks.

– Practitioners must encrypt information even on personal electronic devices. HIPAA Compliance is IT Related Only: HIPAA compliance applies to anyone that handles PHI – not just IT professionals

– Stolen laptops that are not encrypted will result in a HIPAA violation. HIPAA Protects Everything: A common misconception, HIPAA only protects information within a physician’s office or practice.

– If a patient records PHI on a smartphone, which then gets stolen – that information is not protected under HIPAA.

– Mobile Devices can be properly secured: Another common misconception is that our mobile devices (smart-phones or tablets) can be secured with just a simply password. HIPAA states that such devices can be hacked easily and pose a serious threat to PHI security.

HIPAA Compliant Hosting Providers

Reputable hosting providers take PHI seriously and work hard to make sure all safeguards are in place within a data center or other hosting provider. As previously stated, HIPAA audits now extend compliance to hold 3rd party entities (or anyone officially involved) in the handling of patient health records fully accountable for any breach that may take place. If you are a medical practitioner, patient or 3rd party hosting provider make sure that health records are being handled in compliance to the new HIPAA omnibus rules. You don’t want to risk being fined over a simple security breach.

For more information contact

Leave a Reply

<>