New HIPAA Rules for CIOs

Comment | Print | RSS

• Login to Rate

The regulations are set to take effect March 26, 2013, with a compliance date of Sept. 21, 2013, for covered entities and business associates.

The rules will establish a new chain of responsibility and legal liability that needs to be addressed immediately, not only by the CIOs at healthcare organizations in all sizes, but also by their counterparts at service providers and business associates, including data miners and IT service providers.

Now CIOs will be responsible for the actions of every business partner and even their partners' partners. "Covered entities must ensure that they obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows."

The fines for violations of the new rule can go as high as $1.5 million per violation.

That is obviously a huge change. It will require significant reworking of service-level agreements, and it may cause the rethinking of vendor decisions. But that's just the beginning.

Under the new rules, patients will have to give explicit consent or opt-in for any information sharing not directly related to their treatment or insurance benefits. Data miners won't be able to process any personal information without the patient's explicit consent. Also, patients will be able to ask for a copy of their electronic medical information in electronic format.

"Much has changed in health care since HIPAA was enacted over fifteen years ago," HHS Secretary Kathleen Sebelius said in a press release. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."

What issues do CIOs need to address? Many, if we look at the provisions closely.

• Definition of "data breach": Under the 2009 rules, breaches were defined as incidents that posed a significant risk of financial, reputational, or other harm. Under the new rules, an unauthorized use or disclosure of protected health information is presumed to be a reportable breach unless a covered entity can demonstrate a "low probability" that the information has been compromised. So any incident needs to be reported as a breach, and an assessment needs to be properly documented.
• Chain of responsibility: CIOs of healthcare organizations, insurance companies, and service providers will need to coordinate efforts to avoid the unauthorized transmission of information and ensure its security.
• Opt-in for information sharing: The rules will generally require patients to consent in advance before third parties can use their healthcare information to send them marketing information. And that is completely the opposite of the way things are done today.
• Systems: CIOs need to prepare their systems to provide patients with electronic copies of their health records if requested.

Data breaches are becoming the biggest fear for patients and healthcare organizations. The new rules are important because they will impose a new level of responsibility on people and organizations handling electronic health records. Compliance costs are estimated at $114 million to $225.4 million for the first year.

Leon Rodriguez, director of the HHS Office of Civil Rights, said in the press release:

This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.

That will be great for patients, but for CIOs, it means rolling up your sleeves. Are you ready?