Enforcing HIPAA Omnibus: What to ExpectWith Audits Looming, Compliance a Priority
Although the long anticipated Sept. 23 enforcement date for the HIPAA Omnibus Rule has arrived, many healthcare information security experts don't anticipate an immediate surge in crackdowns on those who are not in compliance.
"I doubt there'll be a 'big bang' enforcement effort on Sept. 24, but I advise covered entities and business associates to be prepared nevertheless," says Kate Borten of security consulting firm The Marblehead Group. "You could fly under the radar, but do you want to take that chance?"
Here's what Rachel Seeger, a spokesperson for the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, has to say: "For OCR, September 23 is business as usual as we have not paused in our enforcement efforts. We will, however, begin looking at investigations in a post-Omnibus era with a new lens with respect to compliance responsibilities of covered entities and now business associate liability."
Seeger doesn't offer specifics about the intensity of the enforcement effort, other than to note: "Like many covered entities and business associates, OCR has been busy training staff across the country on the various rule changes."
She also points out, however, that OCR will resume its HIPAA compliance audit program sometime in fiscal year 2014, which begins Oct. 1. And those audits will cover business associates as well as covered entities. "We will make an announcement once we are ready to resume these activities, so stay tuned," she says.
Key ChangesKey provisions of HIPAA Omnibus include:
In addition to Borten, other healthcare information security specialists interviewed by Information Security Media Group also don't anticipate an immediate crackdown on HIPAA violators as a result of the enforcement deadline.
Those who work at organizations that have been diligent in their efforts shouldn't be too worried about ramped-up enforcement, says John Houston, vice president and privacy and information security officer of the University of Pittsburgh Medical Center.
"I do not expect to see any particular change on Sept. 23," he says. "Obviously, OCR will start to enforce the new rules. But, I don't believe Sept. 23 opens the floodgate for a new level of enforcement."
Christopher Paidhrin, security administration manager in the information security technology division of PeaceHealth, a delivery system in the Pacific Northwest, says: "What is likely to happen are more breaches [reported], higher fines and greater awareness of the cost for non-compliance. The consequences for healthcare are increasing, so the responsiveness will rapidly improve. No one likes to be front page news, when it comes to fines."
Others join Paidhrin in predicting that the new rule's expanded breach notification guidance will lead to more breaches being reported. That's because once the rule is enforced, regulators will be looking at how organizations assess incidents for breach notification.
Under HIPAA Omnibus, the standard for breach notification has shifted from assessing whether an incident is likely to result in a significant risk of financial, reputational or other "harm" for an individual to a more objective assumption that an incident is a reportable breach unless there is a low probability the data was compromised, says Deven McGraw, director of the health privacy project at the Center of Democracy & Technology.
"I believe that there will be substantially more breaches reported, due to the way that HIPAA now requires that we assess potential breaches," says UPMC's Houston.
With the elimination of the harm standard, "There will be many more breach notifications, but with less of a relationship to the actual risk of identity theft to patients," says Tom August, director of information security at Sharp HealthCare, a California-based integrated delivery system.
Lending a Helping Hand
In recent weeks, OCR has released a variety of guides to understanding HIPAA Omnibus.
OCR also has released three model notices of privacy practices that covered entities can use in refining their notices to reflect new consumer rights under HIPAA Omnibus, such as the right to obtain an electronic copy of their records.
And on Sept. 19, OCR issued additional guidance on several provisions of HIPAA Omnibus regarding communications to patients related to prescription refills; the disclosure of student immunization records; and the release of health information about deceased individuals.
To learn more about other federal regulatory activity pending this fall, read Regulators to Tackle Privacy Issues.