Almost four years ago, the HITECH Act was signed into law, but a major regulation implementing its provisions—theHIPAA/HITECH “Omnibus Rule”—has yet to be published. The final rule, however, is expected soon, and healthcare IT companies must prepare for it.
In 2009, HITECH enhanced the HIPAA requirements and the penalties increased dramatically. Specifically, the civil monetary penalties increased from $250,000 to $1,500,000. Since the enactment of HITECH, we have seen an extensive increase in audits and HIPAA enforcement activities. The Office of Civil Rights (OCR) alone has investigated and resolved 18,122 privacy complaints and 454 security matters related to covered entities. In addition, in late 2011, the federal government commenced a HIPAA audit program for covered entities which will be expanding to audit business associates. The privacy breaches historically have been based upon:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Uses or disclosures of more than the minimum necessary protected health information; and
- Lack of administrative safeguards of electronic protected health information.
Today, all covered entities and business associates must comply with the Security Rule administrative, physical and technical safeguards, although federal regulators have indicated they will not enforce compliance with respect to business associates until the HITECH/HIPAA Omnibus Rule is issued and made effective. One such safeguard is performing an information risk assessment to ensure there are adequate security safeguards in place to protect PHI. Recently, two covered entities were fined and penalized for failing to conduct a thorough analysis of the risk to the confidentiality of the PHI maintained on portable devices, or for failing to implement security measures sufficient to ensure the confidentiality of PHI. In fact, one provider, who had a laptop stolen with less than 500 records on the laptop, was fined $50,000 and entered into a corrective action plan settlement with the government. Another provider lost an unencrypted laptop and was fined $1.5 million.
In light of the extensive fines and penalties and the requirements to address and implement administrative, physical and technical safeguards, it is imperative for providers and business associates to be aware of the new HIPAA Rules that are expected to be released soon. The HIPAA/HITECH “Omnibus Rule” will bring even more significant changes in the way healthcare IT is regulated. These changes may affect not only companies contracting directly with healthcare providers, but also downstream subcontractors.
Major changes include:
- Healthcare IT companies will need to comply with the HIPAA Security Rule. Full-on compliance with the Security Rule will be a major undertaking for many companies.
- Healthcare IT companies will be subject to federal civil and criminal penalties for using or disclosing protected health information in a way that violates the HIPAA Privacy Rule. This change ups the ante for your compliance program. It’s important that appropriate policies be in place and personnel be trained to follow them.
- Healthcare IT companies will likely need to have business associate contracts with their subcontractors who have access to protected health information. Companies should have a strategy now for their business associate contracts.
Morris, Manning & Martin’s Privacy and Data Security attorneys can help you prepare for the Omnibus Rule by assessing (i) how the rule will affect your business, (ii) what needs to be done to comply, and (iii) how to mitigate regulatory risk.