Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    HIPAA Update Tightens Data Breach Liability Risks for IT Companies

    By
    Brian T. Horowitz
    -
    January 22, 2013
    Share
    Facebook
    Twitter
    Linkedin

      An update to the Health Insurance Portability and Accountability Act (HIPAA) could make IT companies more liable for leaked health information, said industry experts.

      Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final “omnibus” rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17.

      Companies that produce electronic health record (EHR) software, offer billing and transcription applications, host data in the cloud or provide backup services will be responsible for health information leaks, according to Doug Pollack, chief marketing officer for ID Experts, which offers data breach prevention tools.

      “The majority of business associates now are probably not meeting the letter of the law in terms of their security obligations,” Pollack told eWEEK. “I think it’s going to require a wake-up call.”

      Although larger IT companies such as Microsoft and Verizon offer business associate agreements (BAAs) as part of their cloud services and allow health care organizations to be HIPAA-compliant, other smaller vendors will need education on how to comply with the privacy and security rules, said Pollack.

      “There will be breaches, and you’re going to see substantial monetary penalties applied to business associates for not being rigorous about meeting their security obligations,” Pollack said.

      Health care organizations and IT companies may also need to change their documentation practices to avoid data breaches, he said.

      ID Experts offers an application called Risk Assessment, Documentation and Reporting (RADAR) that helps health care organizations track data-leak incidents and provides guidance on whether HIPAA requires notification, said Pollack.

      HHS also strengthened the data breach notification requirements of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. At that time penalties for data breaches could cost around $250,000, but under the new HIPAA final rule, HHS has increased the maximum penalty for noncompliance to $1.5 million per violation.

      HIPAA was first enacted in 1996.

      “Much has changed in health care since HIPAA was enacted over 15 years ago,” HHS Secretary Kathleen Sebelius said in a statement. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

      The final rule takes effect on March 26, and covered entities such as health insurance organizations and business associates like IT companies must comply by Sept. 23.

      Another change in the latest HIPAA rule is the threshold for which a company determines that a breach might harm patients and may need to be reported to HHS.

      Organizations may have been using the harm threshold as a reason not to notify HHS and the public if health data had been compromised, Pollack said.

      HIPAA Update Tightens Data Breach Liability Risks for IT Companies

      This loophole was not what the Office of Civil Rights (OCR) within HHS had intended, “so they made this change to kind of eliminate that ‘get out of jail free’ card for those that had chosen to interpret it that way,” said Pollack.

      “Your role is to determine whether the data was exposed, not to determine whether that exposure ultimately could be harmful for patients,” Pollack said of health care organizations. “You’re required to notify if there’s been any exposure.”

      Under the new HIPAA law, patients can also request a copy of their EHRs. Health care providers can not sell patients’ health data for marketing and fund-raising without their permission.

      “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”

      The new regulations are so stringent that IT vendors will even need to examine why customers are requesting data before providing it to their customers, Shahid Shah, CEO of IT consulting firm Netspective Communications and author of the Healthcare IT Guy blog, told eWEEK in an email.

      By strengthening the liability of business associates to secure protected health information (PHI), IT companies will be under pressure to avoid the steep penalties of breaches.

      “Many of the clarifications are welcome news to the industry in general, but most of the implications of the changes will generally be troubling to IT teams that were not already treated as business associates,” said Shah. “IT vendors that were already afraid of getting into health care data management due to regulations will find it even more expensive and difficult to convince their management to get into the health care vertical.”

      IT vendors that offer products such as EHR and billing software and backup services will now have to sign BAAs that could carry higher monetary fines for data breaches, Shah noted.

      Companies that offer auditing, compliance, privacy and security services could see increasing demand as a result of the new HIPAA rule, according to Shah. These companies could help with gap analysis, which identifies which security requirements are being met and which are not.

      “The other IT vendors that will see benefits include companies that do network and data inspections for PII [personally identifiable information] and PHI,” said Shah.

      Here is a complete list of HIPAA Compliant Hosting Requirements.

      Brian T. Horowitz
      Brian T. Horowitz is a freelance technology and health writer as well as a copy editor. Brian has worked on the tech beat since 1996 and covered health care IT and rugged mobile computing for eWEEK since 2010. He has contributed to more than 20 publications, including Computer Shopper, Fast Company, FOXNews.com, More, NYSE Magazine, Parents, ScientificAmerican.com, USA Weekend and Womansday.com, as well as other consumer and trade publications. Brian holds a B.A. from Hofstra University in New York.Follow him on Twitter: @bthorowitz
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×