HIPAA Update Tightens Data Breach Liability Risks for IT Companies
This loophole was not what the Office of Civil Rights (OCR) within HHS had intended, "so they made this change to kind of eliminate that 'get out of jail free' card for those that had chosen to interpret it that way," said Pollack. "Your role is to determine whether the data was exposed, not to determine whether that exposure ultimately could be harmful for patients," Pollack said of health care organizations. "You're required to notify if there's been any exposure." Under the new HIPAA law, patients can also request a copy of their EHRs. Health care providers can not sell patients' health data for marketing and fund-raising without their permission. "This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented," HHS Office for Civil Rights Director Leon Rodriguez said in a statement. "These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates."By strengthening the liability of business associates to secure protected health information (PHI), IT companies will be under pressure to avoid the steep penalties of breaches. "Many of the clarifications are welcome news to the industry in general, but most of the implications of the changes will generally be troubling to IT teams that were not already treated as business associates," said Shah. "IT vendors that were already afraid of getting into health care data management due to regulations will find it even more expensive and difficult to convince their management to get into the health care vertical." IT vendors that offer products such as EHR and billing software and backup services will now have to sign BAAs that could carry higher monetary fines for data breaches, Shah noted. Companies that offer auditing, compliance, privacy and security services could see increasing demand as a result of the new HIPAA rule, according to Shah. These companies could help with gap analysis, which identifies which security requirements are being met and which are not. "The other IT vendors that will see benefits include companies that do network and data inspections for PII [personally identifiable information] and PHI," said Shah.
The new regulations are so stringent that IT vendors will even need to examine why customers are requesting data before providing it to their customers, Shahid Shah, CEO of IT consulting firm Netspective Communications and author of the Healthcare IT Guy blog, told eWEEK in an email.