HIPAA Omnibus rule enforcement expected

The HIPAA Privacy and Security final rule -- also known as the HIPAA Omnibus Rule -- became effective March 26. One expert predicts enforcers will have a heyday with expanded ability to crack down on providers and their business associates.

According to Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin, the biggest difference in the new rule is a change in breach notification. Under the old rule, providers were presumed innocent of harming patients when a breach occurred – until they proved otherwise. Under the new rule, providers are presumed guilty of harming patients when data is breached. They will have to prove their innocence.

Providers and their vendors and subcontractors have “in theory,” 180 days to comply before the Office for Civil Rights (OCR) begins enforcement of the Omnibus Rule, beginning Sept. 23, 2013, Rey warned. But this doesn’t mean providers should relax. They still will be held accountable under the old HIPAA rules until then, he explained.

The addition of business associates under the Omnibus rule could catch some companies and providers unaware and unprepared, Rey cautioned. “A lot of business associates didn’t plan for this,” he said of the expanded HIPAA rule. “They have never had to comply with HIPAA before.”

Rey said OCR has already prosecuted five covered entities, with the settlements ranging from $50,000 to $1.7 million. The smallest OCR enforcement action involved the breach of fewer than 500 records. “I think they are putting out the message that they are serious about enforcement. They are going after small and large cases,” Rey noted.

He said he has received emails from OCR indicating the agency is starting to hire enforcement officials. “There’s going to be a lot of enforcement going forward,” he continued.

How to prepare? Reys said small provider groups, short on resources, can rely on parent organizations or even government programs to help them do risk analysis. “Don’t take this lightly. The main reason covered entities ran into big problems with OCR last year, was they didn’t conduct risk assessments,” he continued. “Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule.”

In addition, “create a visual map of your data; understand where your data is,” Rey advised. Encrypt data in laptops and determine if data might best be kept safer in a centralized location. He pointed out that PCs and servers are also vulnerable to breaches.