Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Next week marks two months since the deadline passed for compliance with the new HIPAA Omnibus Rule, and I thought it'd be a good time to check in to see how you're progressing.
Everyone has everything buttoned up, right? Ready for an audit? No, not exactly? Well, then, you better get moving - as you could face harsh fines of up to $50,000 per violation, with additional penalties based on negligence levels.
First, a primer: If you're not familiar with the Omnibus Rule, it was announced in January by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights and sets forth requirements for every organization that deals with protected health information, commonly known as PHI. No longer is the burden for HIPAA privacy and security placed solely on covered entities, such as doctor's offices and hospitals, but is now extended to their business associates, such as billing providers or claims processors.
And that's a big deal, considering 58 percent of health care breaches - and some of the largest ones that have been publicly reported - are the fault of third-parties, according to the nonprofit Health Information Trust Alliance (HITRUST).
The Omnibus Rule officially took effect in March, but covered entities, business associates and business associates' subcontractors were given a 180-day grace period to comply with the new requirements. That date came and passed on Sept. 23.
Pilot audits already are underway, but now that the deadline has passed, more targeted audits were expected to begin in late October. If an organization that handles sensitive patient information is found to be out of compliance with the rule, they could face steep fines.
The Omnibus Rule - which implements the various provisions enacted by the Health Information Technology for Economic and Clinical Health Act (HITECH) - was designed to give HIPAA more "teeth" by increasing privacy protection requirements, providing patients with new rights to their health information and bolstering federal enforcement abilities.
The actual rule is no light read. Including comments by the Office of Civil Rights, the rule checks in at 563 pages long.
But, instead of parsing through the law itself, allow me to highlight some of the notable changes. The following is not a comprehensive list of all modifications to the law, but underscores some key considerations for patients and any organization handling PHI.
In summary, the expansion of patient rights and broader liability for violations each translate into an increased burden on organizations that handle PHI.
It is covered entities, business associates and subcontractors that must manage the appropriate use and disclosure of information. And in the case of improper use and disclosure, it is covered entities, business associates and subcontractors that are held responsible for misconduct.
HIPAA has come a long way since its inception in 1996, and it's finally got some serious teeth now. HIPAA came to be as part of an effort to ensure businesses allow individuals to maintain insurance coverage when changing jobs.
Seventeen years later, in addition to insurance portability, HIPAA regulates how PHI is handled to make sure those who should - and only those who should - actually have access to their information.
If you have any questions about HIPAA rules, drop me a line at cdbrown@trustwave.com and I'll be happy to get back to you.
Good luck!
Christoffer Brown is a solutions development specialist on the Compliance and Risk team at Trustwave.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.