The Health Insurance Portability and Accountability Act (HIPAA) has a long history in the world of IT compliance.
From the initial release of the HIPAA Security Rule in 2003 through the passage of the HITECH Act in 2009, information security professionals in the health care industry have focused on implementing controls designed to protect the confidentiality, integrity and availability of electronic protected health information (ePHI). The Department of Health and Human Services' (HHS) January 2013 release of the HIPAA Omnibus Rule opens the next chapter in HIPAA compliance initiatives.
The new omnibus rule technically went into effect in late March, but organizations subject to HIPAA have until Sept. 23, 2013, to become fully compliant with the new regulation. For security practitioners, there are two particular points of interest: the rule's new view on data breaches and the expansion of HIPAA's provisions to include business associates. In this tip, we look at these two changes and their impact on IT security professionals who support enterprise compliance efforts.
Data breaches and the risk of harm standard
During the rulemaking process that led to the HIPAA Omnibus Rule, there was quite a bit of debate between the health care and privacy communities regarding how the regulation would define a data breach. This is important because it spells out exactly when a breach or loss of data must be reported to individuals, the media and/or HHS, exposing an organization to reputational damage and possible fines. Privacy advocates argued that any potential disclosure of personal information should be considered a data breach, while opponents countered that HHS should follow the more complex "risk of harm" definition in the draft regulation. If adopted, this standard would have required that for an incident to be defined as a breach, it must be shown to cause "a significant risk of financial, reputational or other harm to an individual."
A compromise was reached so that under the new Omnibus Rule definition, breach notification is required when a covered entity or business associate experiences an impermissible use or disclosure of protected health information (PHI). If these circumstances arise, an event is presumed to be a breach unless the entity can prove that there is a low probability that the PHI has been compromised. This creates a presumption that a breach occurred that the covered entity must overcome.
Organizations subject to the provisions of HIPAA should take the opportunity to reevaluate their existing incident response and breach notification practices to ensure that they are in compliance with the new mandate. This should include verifying the consistency in definitions between HIPAA's requirement and the organization's practice, and the risk assessment necessary to determine whether an incident is considered a breach. Additionally, policies and procedures that implement the requirements to notify both HHS and affected individuals when a breach occurs should be in place.
Extending HIPAA's reach to business associates
The Omnibus Rule also creates new responsibilities for the business associates of HIPAA covered entities who handle protected health information. While the original HIPAA rules required covered entities to enter into business associate agreements (BAAs) with their partners, the new rules extend the authority of HHS to regulate those business associates, as well as any subcontractors they employ.
From a compliance perspective, covered entities should review all of their business practices to ensure they have correctly identified business associates, and then review the BAAs they have in place to ensure that they require organizations to comply with the HIPAA Privacy Rule and Security Rule. Organizations that serve as business associates should conduct gap and risk assessments to ensure that they comply with the rules and understand their legal responsibilities to both the covered entity and HHS. Expect to see enforcement actions from HHS against business associates later this year, after the Sept. 23, 2013, compliance deadline passes.
Overall, security practitioners will not be tremendously affected by the new Omnibus Rule. While other provisions of the rule do have some significant potential business effects, such as providing patients with the right to receive electronic copies of their medical records and requiring authorization and opt-out capabilities for certain marketing and fundraising activities, the security implications should be manageable. Covered entities that appropriately tweak their incident response and business associate practices should find themselves with little to change, from a security perspective.
About the author
Mike Chapple, Ph.D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Study Guide and Information Security Illuminated.