Healthcare Technology Featured Article

January 18, 2013

Privacy Leak at HIPAA-Covered Entity Means Penalties for Same Under New Rule

With the sweeping changes in recent days to the healthcare concept, it's not surprising to see new rule changes regularly crop up and make their presences known. One of the newest rule changes from the United States Department of Health and Human Services (HHS) puts a whole new onus on hospitals, physician partners, and similar entities falling under the coverage of the Health Insurance Portability and Accountability Act (HIPAA): if there is a leak in privacy protection, it's the entity that must pay  the penalties.

The new rule falls under what's referred to as the "omnibus" privacy and security rule due to its massive scope, and serves as an update to previous rules in HIPAA thanks to the passing of 2009's American Recovery and Reinvestment Act. But contained in that new rule is more than just a new standard of blame, as it also encompasses when a breach in privacy needs to be reported to the Office of Civil Rights. Further, it establishes new rules in terms of when patients can be identified for purposes of marketing or fund raising, and includes certain associates of hospitals and the like, like data miners, in the umbrella of liability for breaches.

The director for the Office of Civil Rights at HHS, Leon Rodriguez, called the rule changes "the most sweeping changes (to the HIPAA Privacy and Security rules) since they were first implemented," and given that the rule changes cover fully 563 pages, it's a safe bet that Rodriguez may not be indulging in hyperbole in this. The official publication of the new rule is set to hit January 25, with an effective date of March 26, and a compliance date of September 21, likely to provide time enough to make the necessary system changes to accommodate the rules.

Given that the original HIPAA passed 15 years ago, it's safe to say that some changes were likely necessary. 15 years ago, after all, the Internet was only just getting started in a lot of places, and many were still working with dial-up Internet access, so the landscape has certainly changed to a degree that requires some modification of rules. But at the same time, it's not hard to look at this novel of rule changes--563 pages would take several days just to read--and think that maybe we're going a little overboard. The pressures on the healthcare sector are already massive, and some reports indicate that physicians are actually looking to get out of the medical industry altogether due to increasing quantities of red tape, so maybe the whole thing is going a bit far.

Still, the rules are the rules, at least for now, and that's going to leave a lot of healthcare providers scrambling to get the new measures in place by the time the compliance date activates.

Edited by Brooke Neuman
Get stories like this delivered straight to your inbox. [Free eNews Subscription]


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]