An update to the Health Insurance Portability and Accountability Act (HIPAA) could make IT companies more liable for leaked health information, said industry experts.
Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final “omnibus” rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17.
Companies that produce electronic health record (EHR) software, offer billing and transcription applications, host data in the cloud or provide backup services will be responsible for health information leaks, according to Doug Pollack, chief marketing officer for ID Experts, which offers data breach prevention tools.
“The majority of business associates now are probably not meeting the letter of the law in terms of their security obligations,” Pollack told eWEEK. “I think it’s going to require a wake-up call.”
Although larger IT companies such as Microsoft and Verizon offer business associate agreements (BAAs) as part of their cloud services and allow health care organizations to be HIPAA-compliant, other smaller vendors will need education on how to comply with the privacy and security rules, said Pollack.
“There will be breaches, and you’re going to see substantial monetary penalties applied to business associates for not being rigorous about meeting their security obligations,” Pollack said.
Health care organizations and IT companies may also need to change their documentation practices to avoid data breaches, he said.
ID Experts offers an application called Risk Assessment, Documentation and Reporting (RADAR) that helps health care organizations track data-leak incidents and provides guidance on whether HIPAA requires notification, said Pollack.
HHS also strengthened the data breach notification requirements of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. At that time penalties for data breaches could cost around $250,000, but under the new HIPAA final rule, HHS has increased the maximum penalty for noncompliance to $1.5 million per violation.
HIPAA was first enacted in 1996.
“Much has changed in health care since HIPAA was enacted over 15 years ago,” HHS Secretary Kathleen Sebelius said in a statement. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The final rule takes effect on March 26, and covered entities such as health insurance organizations and business associates like IT companies must comply by Sept. 23.
Another change in the latest HIPAA rule is the threshold for which a company determines that a breach might harm patients and may need to be reported to HHS.
Organizations may have been using the harm threshold as a reason not to notify HHS and the public if health data had been compromised, Pollack said.
HIPAA Update Tightens Data Breach Liability Risks for IT Companies
This loophole was not what the Office of Civil Rights (OCR) within HHS had intended, “so they made this change to kind of eliminate that ‘get out of jail free’ card for those that had chosen to interpret it that way,” said Pollack.
“Your role is to determine whether the data was exposed, not to determine whether that exposure ultimately could be harmful for patients,” Pollack said of health care organizations. “You’re required to notify if there’s been any exposure.”
Under the new HIPAA law, patients can also request a copy of their EHRs. Health care providers can not sell patients’ health data for marketing and fund-raising without their permission.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”
The new regulations are so stringent that IT vendors will even need to examine why customers are requesting data before providing it to their customers, Shahid Shah, CEO of IT consulting firm Netspective Communications and author of the Healthcare IT Guy blog, told eWEEK in an email.
By strengthening the liability of business associates to secure protected health information (PHI), IT companies will be under pressure to avoid the steep penalties of breaches.
“Many of the clarifications are welcome news to the industry in general, but most of the implications of the changes will generally be troubling to IT teams that were not already treated as business associates,” said Shah. “IT vendors that were already afraid of getting into health care data management due to regulations will find it even more expensive and difficult to convince their management to get into the health care vertical.”
IT vendors that offer products such as EHR and billing software and backup services will now have to sign BAAs that could carry higher monetary fines for data breaches, Shah noted.
Companies that offer auditing, compliance, privacy and security services could see increasing demand as a result of the new HIPAA rule, according to Shah. These companies could help with gap analysis, which identifies which security requirements are being met and which are not.
“The other IT vendors that will see benefits include companies that do network and data inspections for PII [personally identifiable information] and PHI,” said Shah.
Here is a complete list of HIPAA Compliant Hosting Requirements.