Earlier in 2013, the Department of Health and Human Services modified the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that protects sensitive health data. This act mandates any entity dealing with protected health information to have specified physical, network, and process security measures in place to regulate saving, accessing and sharing of health records.
The new regulations, known as “HIPAA/HITECH Omnibus Final Rule,” establish new standards to determine whether a security breach has occurred. The stakes are now high for those involved, for a “low probability of compromise risk assessment” is assumed by default unless proved otherwise. There are also increased penalties for entities that do not comply with the new breach notification regulations.
Employers and business associates have to update their HIPAA policies and procedures to address such regulatory changes, and conduct risk assessment audits to ensure that the adopted policies and procedures fully address the operational risks.
The revised regulations now makes it virtually binding on business associates, or vendors that provide services to HIPAA-covered plans, to comply with HIPAA Security Rule and many provisions of the HIPAA Privacy Rule. Business associates now need to enter into agreements with subcontractors. The terms of the agreement may include reimbursement of costs incurred in responding to a security breach caused by a business associate and indemnification for third-party claims.
The onus is on not just employers, but all stakeholders, especially data centers that handle HIPAA data, to make the necessary workflow changes, update IT policies and procedures, and train their staff on the changes.