Guest blogger and HIPAA expert, Tom Dumez aka HIPAAMAN and President of Prime Compliance, shares his thoughts and insights on the modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. As we all know keeping up with HIPAA changes and requirements is an ongoing and challenging process. Perhaps in this blog Tom can shed some light on this complicated and evolving work of HIPAA Compliance.
The “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” Notice of Proposed Rulemaking (NPRM) was initially published in July, 2010. The Office of Management and Budget (OMB) received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules that had been bundled together in what was called ”Omnibus Final Rulemaking”. One of the biggest problems in rulemaking is the delay in the issuance of rules due to legal requirements, bureaucratic elements, and political influences. For covered entities (CE’s-which are your clients), business associates (BA’s-you) and their agents and subcontractors (the people you outsource a covered service to), things are changing.
The original NPRM read: “The HHS/OCR will issue final rules to modify the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008.” We originally expect the Rules to be finalized in early 2012. Fast forward to 2013.
We knew that the NPRM would contain changes to the Final Rules for four of the HIPAA-HITECH related rules. The rules to be included were: Genetic Information Non-discrimination Act (GINA) NPRM, Breach Notifications Interim Final Rule (IFR), Enforcement and Compliance IFR, and HITECH Privacy/Security/Enforcement NPRM.
The HITECH changes address areas such as business associates (BA), enforcement, electronic access (Accounting of Disclosures), marketing, fundraising, not permitting the selling on any PHI and the right to request restrictions.
Among the biggest changes will be those related to BA’s, subcontractors and other parties as HITECH casts a much wider net over millions of organizations. HITECH Sections 13401 and 13404 make BA’s accountable to consumers and to HHS for protecting the privacy and security of protected health information and directly liable for criminal and civil penalties for violations of certain provisions of the HIPAA Privacy and Security Rules. As it specifically relates to those in the document destruction business (as a BA), the NPRM originally proposed the following:
- Requiring that BAs comply with the technical, administrative, and physical safeguard requirements under the Security Rule.
- Prohibiting a BA from making a use or disclosure in violation of the Privacy Rule.
- Clarifying BAs are liable, whether or not they have an agreement in place with the CE.
- Defining subcontractors as BAs; clarifying that BA liability flows to all subcontractors.
- Higher fines for failing to secure protected health information.
My opinion is that these amendments will stay true to these suggestions. The lines continue to blur as we look at the differences between BA’s and covered entities. There are rules that BA’s will be expected to follow, that have historically only applied to CE’s. The 4 items above will impact BA’s. However, these are also simply good business practices. More regulations, more liability, more responsibility, and more risk. This is just one more reason that a real world, relevant training program for your employees is paramount.
Grand Rapids, MI
Tom Dumez spent more than 12 years at a full suite commercial records management company before launching his own company, Prime Compliance, in 2012. With extensive operational and managerial experience, as well as his unique perspective of the industry, he provides your employees with a ‘real world’ educational experience. He is a Certified HIPAA Professional, as well as Certified Security Compliance Specialist. Tom has spoken at many conferences, including PRISM, NAID, ARMA, the West MI AITP. He has also authored many articles. Tom has provided the industry’s original HIPAA training program to more than 40 commercial record centers, scanning/imaging companies, and document destruction companies since 2010. In addition to training, Tom provides policy and procedure and handbook review, business associate agreement review, and he also provides risk assessments. Contact Tom at email@example.com.