National and local health care organizations, their contractors and many subcontractors with new or renewed agreements to handle protected health information have until late September to come into compliance with the new, federal Health Insurance Portability and Accountability Act omnibus rule or face stiff financial penalties.
The new rule requires not just direct health care providers to be compliant, but now also second-tier business associates and third-tier vendors. The changes in the law hold those second- and third-tier companies directly liable for security breaches in a patient's protected health information.
The new requirements went into effect March 26, but affected businesses have until Sept. 23 before the government can enforce the stiff new penalties for noncompliance. Violations of the same regulation in a calendar year now carry a maximum fine of $1.5 million, up from $100,000. The minimum fine is $100, and the amount of the fine depends on the severity of the violation.
HIPAA first went into effect in 1996 to protect a patient's right to privacy in the electronic age.
The biggest change, say those in the region familiar with HIPAA, is in liability if a breach of a patient's protected health information occurs. Until March, the burden was exclusively on the "covered entity" — doctors, clinics, dentists, nursing homes, pharmacies, health insurance companies and others that come in direct contact with a patient.
Now the burden of liability drills down further to "business associates" — contracted organizations that deal with a patient's protected information, such as some medical testing labs, lawyers and medical billing centers. Previously, if a security breach of a patient's protected health information occurred within a business associate, the liability still fell on the covered entity. At times, the new regulations also cover "vendors" — subcontractors of the business associates, such as a storage facility housing medical files.
"Business associates are concerned," said Nicole Radziewicz, a lawyer specializing in health care law at Rhoads & Sinon in Harrisburg. "Covered entities have been dealing with this for years, but it's new for the business associates. I don't think we've seen anyone too panicky, but I don't think we've seen anyone that's too thrilled either."
Covered entities have heightened financial burdens and increased scrutiny on securing protected health information. Previously, there was a presumption that a security breach of protected health information was a low-security risk and therefore not reportable to affected patients.
Now, it is presumed all breaches are reportable unless the covered entity can prove otherwise through a self-investigation process, Radziewicz said.
Officials at Holy Spirit Health System, a covered entity, say they have spent about 1,000 manhours updating its policies and procedures to come into compliance throughout the system.
That includes updating contracts with its business associates to reflect the changes in the law and forms patients must fill out when they enter the system.
"I wouldn't say it's a relief" that business associates are now held liable, said Ami Zumkhawala-Cook, chief compliance officer at Holy Spirit in East Pennsboro Township. "It doesn't decrease our burden, but it's reassuring that we now have the law applying directly to the business associates. This is definitely a far more equitable system."
Business associates who had existing contracts with the covered entities before the March deadline actually have until Sept. 23, 2014, before compliance can be enforced. This year's compliance deadline is for new or renewed contracts since March.
The changes have been in effect since March, but the government allowed the six-month grace period before enforcement. Even with the date looming, enforcement might not be as strict as the government promises, said Kathryn Lease Simpson, a lawyer at Mette, Evans & Woodside in Harrisburg who practices health care law.
"We've still got this sequester," she said. "I don't know how realistic (enforcement) is, and a lot of it depends on self-reporting. I just know that entities that I deal with are taking this very seriously. Very seriously. But it's not like this is being sprung on anyone."
Officials at the Office for Civil Rights, the branch of the U.S. Department of Health and Human Services in charge of enforcing the new laws, said there will be "robust enforcement" of the all HIPAA regulations from the office.
Rachel Seeger, office spokeswoman, said there are roughly 233 full-time employees throughout the 10 regional offices and the national office in Washington, D.C., that will handle compliance.
"That's one of the biggest changes, the reality that HIPAA might actually be enforced going forward," Radziewicz said. "The sleeping giant has been awoken."
Some of the major changes in the Health Insurance Portability and Accountability Act (HIPAA) that the government can enforce starting Sept. 23:
BEFORE: Legal and financial liability for a security breach of protected health information started and ended with the covered entity.
NOW: Liability lies not just with the covered entity but also with contracted and subcontracted business associates.
BEFORE: Maximum penalty for repeated, identical HIPAA law violations in a calendar year is $100,000.
NOW: Maximum penalty is $1.5 million.
BEFORE: Security breaches of protected health information were presumed nonreportable to those affected unless proven otherwise.
NOW: All security breaches are presumed reportable unless the covered entity can prove otherwise.
BEFORE: Covered entities could sell protected health information.
NOW: Individuals must authorize any sale of that information.