With great power also comes great responsibility. And this is especially true for healthcare entities that employ the power of information to provide better services. Patient Health Information, like any other information is a valuable asset for healthcare organizations. However, organizations that handle and process health information are also expected to protect it. This is why HIPAA and HITECH regulations are of great significance to the healthcare industry.
The HIPAA omnibus final rule published recently by the US Department of Health and Human Services lays more emphasis on this responsibility of healthcare organizations to protect patient health information. This final rule comes with significant changes, amongst which, is a new tiered penalty structure for covered entities that violate the law. This is a noteworthy addition because it increases monetary penalties up to $50,000 for ‘willful neglect’ of information without correction and $1.5 million for multiple violations of identical provisions.
While this law is expected to be enforced in an aggressive way, healthcare entities are preparing themselves to accommodate changes to comply with the final rule. But besides the monetary penalties there are four areas of the rule that are expected to have a considerable impact on healthcare organizations:
- Business Associates are now liable too. This change is the most significant as far as healthcare providers are concerned because now their business associates and subcontractors will also be held liable for breaches of personal health information. Earlier, business associates were liable only if they signed a business associate agreement with the covered entity. The final rule however brings in several new entities such as health information exchanges, personal health record vendors, cloud service providers and the like into this category.
- Patients have enhanced rights. The updated HIPAA rule gives patients the right to receive an electronic copy of their health information on demand. Moreover, they can also request for such information to be sent to another person or designated entity such as another doctor, or caregiver, an online personal health record or mobile application.
- Patients can request non-disclosure. A provision under the final rule requires healthcare entities to honor a patient’s request to restrict the disclosure of their personal health information to their health insurance company if the patient has paid in full and out of the pocket for a healthcare item or service. Some healthcare providers are not too happy with this change because they feel that this can be very hard to administer.
- ‘Breach’ has a new definition. This is one of the most talked-about changes in the final rule, as it alters how and when healthcare providers must notify HHS of a breach. While earlier, providers had to report a breach if it posed significant risk to financial, reputational, or other harm to an individual, the final rule shifts the burden of proof to the entity itself, making it necessary for healthcare providers to prove that no compromise of information has occurred. If there is a likelihood of information being compromised, then it will be considered a ‘breach’.
These aspects of the final rule are sure to have a major impact on healthcare providers. While providers are preparing themselves and making changes in their systems in order to comply with the final rule, the task may be too tedious without the help of comprehensive vulnerability and security management platforms like Aegify Security Posture Management and Aegify SecureGRC, which offer simple and quick steps to comply with the final HIPAA rule and keep health information safe and secure.