The Health Care industry has been waiting a long time for this. In late January, the Department of Health & Human Services (HHS) finally issued the HIPAA Omnibus Rule (click here for full text of the ruling). Since HIPAA was first released in 1996, the rules have always existed in a “proposed” or “interim” status. This release finalizes the Security and Privacy rules of HIPAA, as well as the Enforcement rules from the Health Information Technology for Economic and Clinical Health (HITECH) Act. So, what does all this mean? What is the impact for affected companies?
Leon Rodriguez of the HHS said it best: “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” This release is very significant. This release not only alters some critical aspects of the regulations, it expands the scope of HIPAA rather considerably. Unfortunately, like any other part of the Federal Register, the Omnibus Rule manages to be simultaneously long-winded and densely written.
There is no doubt that these changes are going to be challenging security and compliance teams for years to come. After reviewing the document, we have cataloged some of the more significant issues.
The rule was published in January, and goes into effect March 23, 2013. The compliance due date is September 23, 2013, which is 180 days from effective date. That is a very short time for organizations to digest such a dense set of rules. This could present a huge challenge for smaller organizations who are unprepared for these changes, particularly those who previously thought HIPAA was not applicable to them.
HIPAA Expands, Covers More Organizations
Since its inception, the scope of HIPAA was always fairly clear. Covered Entities (health care providers, plans and clearing houses) were required to meet HIPAA regulations. In 2009, the American Recovery and Reinvestment Act (ARRA) placed Business Associates, non-covered entities who perform services that require them to handle HIPAA data, under the HIPAA as well. HIPAA Omnibus takes the scope another step further. HIPAA now covers subcontractors of Business Associates as well. This means a lot of companies who do not think HIPAA applies to them, are now required to be HIPAA compliant.
Effectively, all Business Associates of covered entities must consider any of their sub-contractors who manage PHI to also be Business Associates. They must contractually obligate them to adhere with HIPAA rules. Moreover, the failure of a contractor to acknowledge their responsibility does not free the Associate from regulatory obligation.
There is an exception for what HIPAA calls “conduits.” This is a very limited subset of vendors such as couriers, package services, and Internet service providers (ISP), who only have intermittent and ephemeral opportunity to access HIPAA data. “In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.” That means that something like a document storage provider is a Business Associate, not a conduit, even if your contract stipulates that they are not allowed to open or read relevant HIPAA documents.
Furthermore, lot of cloud providers, such as Amazon AWS or Google Docs, will likely get snared into this requirement as well. There is a specific clarification which says that any entity with “more than random” access to PHI is considered a Business Associate. Since many cloud providers are providing more than just a network, but also tools to sort, assess and manage systems (which contain PHI), they would not fall into the “conduit” exception and therefore would need to meet HIPAA requirements.
These changes echo a trend in compliance to extend regulations beyond the covered entity to relevant third parties who have access to protected information. This makes HIPAA, similar to other standards such as PCI. This effectively prevents organizations from “outsourcing” their HIPAA obligations to somebody else.
HIPAA Information Requests
Individual’s requests for their HIPAA records now must be provided in 30 days, with one 30-day extension permitted (for which a reason must be provided in writing) for an upper limit of 60 days to comply. The old rule allowed another 30 days for data stored offsite. That clause is now gone.
Companies must make a best effort to provide the data in a specific electronic format, if requested. If the patient demands data in a deprecated technology format not easily available to the company, their request may be denied, and the company can provide the data in a format that they have available. As a last-case fallback solution, printouts are always legally acceptable. Companies are not obligated to use electronic media the requestor provides if such use might pose a threat to their security, such as writable media that could potentially have malware on it. If an individual requests that their HIPAA data be electronically transferred to them in an insecure manner (e.g. unencrypted email or file transfer), the company is obligated to explain the risks. If the individual accepts the risks, then it is acceptable to transfer the data in the insecure manner requested. While this does not fundamentally alter HIPAA rules, it could require some significant process modifications.
Companies are allowed to charge reasonable fees for servicing HIPAA records requests. What constitutes “reasonable” is a complex question that lawyers will need to interpret. However, companies can recoup the basic labor costs of retrieving records, they just cannot slap any discretionary fees on top of that.
The biggest change here is that individuals are now allowed to demand that their PHI is not disclosed under some circumstances. The requirements are very detailed, but in essence this allows an individual to request that their payer (such as an insurance company) not be notified if the individual is paying “out of pocket” for a procedure. Previously individuals were able to request such treatment of their data, but there was no requirement for covered entities to oblige them. Now the request must be honored, within certain limits. There is no requirement to store data such data separately. However, it must be tagged so that it will be withheld from subsequent disclosures. Legal and regulatory requirements override these non-disclosure requests. Also if a patient does not pay for the procedure directly, then the data may be released to the insurer in order to obtain payment.
Secondly, covered entities are required to add a number of new statements to their Notice of Privacy Practice. The two most significant additions are: 1) it must explain the non-disclosure option as described above; 2) it must have a statement explaining the covered entity’s legal obligation to provide breach notification.
Also, Covered Entities must now get permission to sell PHI. While it is hard to imagine organizations selling PHI, it does happen, probably more than the general public realizes. This rule will effectively bring this activity to the light of day, and could eliminate it entirely.
Audits and Penalties
Perhaps the most eye opening change in the regulations is that HIPAA is going from a voluntary compliance model to an audit-and-penalty model, similar to more rigorous standards like PCI DSS.
The fine structure for not following proper practices is a now tiered, with progressively increasing penalties for greater degrees of willful negligence. The current maximum fine for a single violation is $50,000, with a maximum of $1.5M per year for multiple violations of the same provision.
HHS will be performing the audits. Like many regulatory processes, smaller organizations will probably avoid the brunt of the audit work since there is more to gain from focusing on the larger entities. However, it is equally likely that egregious violators will be targeted as an example of HHS’s crack down. HHS has already started a “wall of shame” for organizations that had a breach of 500 or more records.
Breach Notification Changes
There are also changes to when a breach must be disclosed to HHS. The old breach notification rule was based on an assessment of whether harm was done through the unauthorized exposure of data. The new breach notification rule is about whether data was exposed, not what the data was or whether any measurable harm could come of it. In any case of potential data exposure, a company must now perform a risk assessment that takes into account factors like (a) what data was exposed, (b) who it was believed to have been exposed to, (c) whether it is likely that the data would be misused. The risk assessment is a good-faith effort, and it is expected that smaller breaches will be investigated and companies penalized if they are not following good practices.
Based on our analysis, this opens the door for many forms of “interpretative abuse.” We’d much prefer to see an emphasis on the actual occurrence of a breach, rather than an assessment of what data was possibly compromised and why. However, it also means that Covered Entities are going to need to be able to conduct risk analysis in a more diligent and efficient manner. This aligns with our efforts at Anitian to speed up risk assessment efforts using advanced tools and more aggressive techniques.
Lastly, there is an expectation that even relatively small violations will be subject to regulatory review.
There are plenty of other changes, but these represent the most significant ones that we noticed upon first review. Of course, as more and more organizations digest this massive document, there will likely be more details emerging.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com