ISO 27001 | SSAE 18 SOC 2 Certified Sales: 317.275.0021 NOC: 317.275.0001
HIPAA Compliance Gets Tougher Than Before
Earlier in 2013, the Department of Health and Human Services modified the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that protects sensitive health data. This act mandates any entity dealing with protected health information to have specified physical, network, and process security measures in place to regulate saving, accessing and sharing of health records.
The new regulations, known as “HIPAA/HITECH Omnibus Final Rule,” establish new standards to determine whether a security breach has occurred. The stakes are now high for those involved, for a “low probability of compromise risk assessment” is assumed by default unless proved otherwise. There are also increased penalties for entities that do not comply with the new breach notification regulations.
The most significant change brought about by the updates is comprehensive changes to patent’s privacy policy. The updates stipulate new procedures for the delivery of protected health records in electronic format to plan participants. Individuals are now entitled to receive electronic copies of health information, on the patient’s request. Disclosures pertaining to health plans where the patient has paid from his or her pockets are now restricted, and there are new regulations governing the use of protected health information for sales, marketing and fundraising purposes.
Employers and business associates have to update their HIPAA policies and procedures to address such regulatory changes, and conduct risk assessment audits to ensure that the adopted policies and procedures fully address the operational risks.
The revised regulations now makes it virtually binding on business associates, or vendors that provide services to HIPAA-covered plans, to comply with HIPAA Security Rule and many provisions of the HIPAA Privacy Rule. Business associates now need to enter into agreements with subcontractors. The terms of the agreement may include reimbursement of costs incurred in responding to a security breach caused by a business associate and indemnification for third-party claims.
The onus is on not just employers, but all stakeholders, especially data centers that handle HIPAA data, to make the necessary workflow changes, update IT policies and procedures, and train their staff on the changes.