HIPAA Update Tightens Data Breach Liability Risks for IT Companies

A change to the federal HIPAA rule adds security requirements for health care software developers and data backup services, classified as "business associates."

An update to the Health Insurance Portability and Accountability Act (HIPAA) could make IT companies more liable for leaked health information, said industry experts.

Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final "omnibus" rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17.

Companies that produce electronic health record (EHR) software, offer billing and transcription applications, host data in the cloud or provide backup services will be responsible for health information leaks, according to Doug Pollack, chief marketing officer for ID Experts, which offers data breach prevention tools.

"The majority of business associates now are probably not meeting the letter of the law in terms of their security obligations," Pollack told eWEEK. "I think it's going to require a wake-up call."

Although larger IT companies such as Microsoft and Verizon offer business associate agreements (BAAs) as part of their cloud services and allow health care organizations to be HIPAA-compliant, other smaller vendors will need education on how to comply with the privacy and security rules, said Pollack.

"There will be breaches, and you're going to see substantial monetary penalties applied to business associates for not being rigorous about meeting their security obligations," Pollack said.

Health care organizations and IT companies may also need to change their documentation practices to avoid data breaches, he said.

ID Experts offers an application called Risk Assessment, Documentation and Reporting (RADAR) that helps health care organizations track data-leak incidents and provides guidance on whether HIPAA requires notification, said Pollack.

HHS also strengthened the data breach notification requirements of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. At that time penalties for data breaches could cost around $250,000, but under the new HIPAA final rule, HHS has increased the maximum penalty for noncompliance to $1.5 million per violation.

HIPAA was first enacted in 1996.

"Much has changed in health care since HIPAA was enacted over 15 years ago," HHS Secretary Kathleen Sebelius said in a statement. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."

The final rule takes effect on March 26, and covered entities such as health insurance organizations and business associates like IT companies must comply by Sept. 23.

Another change in the latest HIPAA rule is the threshold for which a company determines that a breach might harm patients and may need to be reported to HHS.

Organizations may have been using the harm threshold as a reason not to notify HHS and the public if health data had been compromised, Pollack said.