September brings the final compliance date for the HIPAA Omnibus Rule (Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, Jan. 25, 2013). HIPAA-covered entities must bring every Business Associate Agreement (BAA) into compliance with the Omnibus Rules by September 22, 2014. This means even the BAAs that pre-dated the new standards, which were grandfathered, must comply with the updated requirements. The US Department of Health & Human Services (HHS) has a model BAA agreement available on their website.
HIPAA defined “covered entities” and “business associates” spent the past twenty months bringing their systems, policies, and procedures in line with the HIPAA Omnibus Rule. With the final compliance date approaching, now is a good time to review the rule and ensure that all necessary updates have been made.
Among other things, the HIPAA Omnibus Rule strengthened regulatory protections for Protected Health Information (PHI), increased penalties for HIPAA breaches, and expanded the concept of a HIPAA business associate. More specifically, the rule:
- Finalized modifications to HIPAA’s Privacy, Security, and Enforcement Rules to implement the Health information Technology for Economic and Clinical Health Act (HITECH Act)
- Finalized Privacy rule modifications aimed at increasing workability
- Significantly modified the Breach Notification Rule, lowering the threshold required for notifying affected individuals of potential PHI breaches
- Implemented the Genetic Information Nondiscrimination Act of 2008 (GINA), prohibiting health plans from using genetic information for underwriting purposes
Taken together, the HITECH Act and HIPAA Omnibus Rule effectuated sweeping change throughout the health care world. After bringing their programs into compliance, covered entities and business associates now turn their focus towards enforcement of the new HIPAA landscape.
Expanded Enforcement and Penalties
Federal fiscal year 2014 brought a permanent HIPAA audit program under the guidance of the HHS Office of Civil Rights (OCR), the agency charged with enforcing HIPAA. According to OCR Regional Director Leon Rodriguez, OCR wants “to hit more entities and be more focused on parts of the privacy and security rules for which breaches are at high risk.”
Risk analysis will be a major focus of the permanent audits because the pilot audit program found many entities conducted shallow risk analysis and did not update their processes to account for changes like new systems or business strategies. Indeed, two-thirds of the pilot audit participants did not have accurate or complete risk analysis. According to Director Rodriguez, entities must review their risk analysis with any business change.
Given the high number and high profile of PHI breaches caused by non-existent encryption, data encryption is another key focus area. The Security Rule makes encryption an “addressable” requirement. In other words, if an organization decides against using encryption, it must document its justification for not doing so and specify a reasonable alternative to protect PHI. The pilot program showed a number of firms that failed to adopt encryption without any justification.
A comprehensive and ongoing risk analysis will help identify potential problems, but covered entities must take affirmative action to either adopt encryption or justify why it is not necessary. Awareness of the HIPAA requirements is another key element of compliance. According to early OCR assessments, approximately 30 percent of organizations cited for noncompliance in the pilot program were unaware of the requirement. Among the top unknown requirements were risk analysis, audit controls, and disposal.
The permanent HIPAA audit program, coupled with the increased fines from the Omnibus Rule, is having a very real impact on covered entities. Over the past 12 months, HHS has collected more than $10 million in settlements from covered entities. Nearly half of this total, $4.8 million, came from one breach involving a joint compliance arrangement between two New York hospitals. Although it involved a relatively modest fine, HHS reached a $150,000 settlement with a Massachusetts practice for failure to have appropriate breach notification policies and procedures in place. OCR also sought enforcement against entities for failure to detect and protect against security risks.
HHS Tool to Assist with Risk Assessment
Perhaps to counterbalance the renewed focus on HIPAA enforcement, the HHS Office of the National Coordinator for Health Information Technology (ONC), working with OCR, released their Security Risk Assessment (SRA) tool. The SRA tool aids covered entities in complying with the HIPAA Security Rule.
As noted by Director Rodriguez, the Security Rule requires that covered entities and business associates conduct regular risk assessment of their administrative, physical, and technical safeguards. The SRA tool assists in the risk assessment process through a series of 156 questions targeted at the entity’s security practices. An affirmative or negative answer will prompt a response from the SRA tool, indicating whether the entity needs to take corrective action for that particular item. The SRA tool contains resources to help the entity assess the potential impact to its PHI if a requirement is not met, and prompts inquiries forcing entities to document what needs to be done.
HHS developed the SRA tool as a self-contained, independent application capable of running on anything from a laptop, desktop, or tablet. Responses are recorded directly into the tool, but do not transmit out. For less tech-savvy compliance personnel, the SRA tool is also available in paper format. Successful use of the SRA tool does not ensure compliance with HIPAA, just as negative answers do not mean entities are out of compliance. It is merely a tool, but a helpful one in that it provides the most accurate picture of topics HHS finds most relevant.
Thus, although the HHS does not guarantee that using the SRA tool ensures compliance, it does provide an additional resource for covered entities and business associates to assess the security practices of their organizations. Given OCR’s focus on compliance audits, and the steeper penalties after HITECH and the Omnibus Rule, having another compliance tool should be seen as a benefit.