Problem solve Get help with specific problems with your technologies, process and projects.

HIPAA compliance: New regulations change the game

Recent changes to HIPAA regulations coupled with renewed HIPAA enforcement may stir a panic among enterprise security teams charged with safeguarding PHI. Not so, according to security management expert David Mortman. Learn how HIPAA has changed and how your organization can remain compliant.

There is always the option of taking a chance and choosing not to comply ... [but] you won't see me advocating that choice to anyone I work with.
As you may know, changes to the Health Insurance Portability and Accountability Act (HIPAA) were recently enacted under The Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the recent American Recovery and Reinvestment Act. However, these changes don't go into effect until February of 2010, meaning there's time before companies need to be compliant. So like the cover of the Hitchhiker's Guide to the Galaxy says: "Don't panic."

Before delving into the changes, it's important to understand that under HIPAA there are three general groups of organizations: covered entities, business associates and everyone else. Covered entities are generally health care organizations or health insurance companies (though this gets complicated with companies that self-insure). Business associates are organizations that support covered entities and handle protected health information (PHI), such as online backup providers, billing agencies and organizations that support eHealth products, and everyone else is, well, everyone else.

HIPAA requires covered entities meet specific criteria to be certified compliant; if they do not, those entities are subject to fines. As a result of HITECH, civil penalties for HIPAA violations have gone up significantly, potentially to the tune of $1.5 million per year in fines. Additionally, deliberate disclosure of PHI for non-legitimate reasons can now lead to criminal prosecution. HITECH specifically allows state attorneys general to file civil suits as well as criminal charges, though for many states this was already the fact due to CA 1386 and other state data breach-notification laws.

For more information
Check out these key elements of a HIPAA compliance checklist.

What's the best strategy to catch up on HIPAA compliance quickly? Read this expert response.
HIPAA's other major change for covered entities is they must now disclose if and when they have a security breach and client data is exposed. All users whose data has been lost must be notified, and if more then 500 individuals' data is lost, the organization must notify the Secretary of the Department of Health and Human Services (HHS), who will publicly post the breach on the HHS website.

If your organization is classified as a business associate, this is the time when you will consider panicking. Prior to the changes, HIPAA requires business associates to have contracts with the covered entities enforcing the appropriate privacy and security controls of individuals' PHI. Now the requirements for business associates have been significantly expanded. Under HITECH, business associates are subject to the same civil and criminal penalties as covered entities, as well the disclosure requirements outlined above.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
The Secretary of Health and Human Services is supposed to publish guidelines by Apr. 17, 2009; that should provide more clarity regarding what exactly business associates need to do. In the meantime, a good best practice is to assume the new requirements will be similar to the requirements for covered entities, so start retooling the necessary parts of your business appropriately. For starters, covered entities should make sure they are actually meeting the requirements of their existing contracts. From there, implement controls to minimize who has access to that critical data, and start examining stronger protection such as encryption. Patterning after covered entities will put the company way ahead of the game; the worst-case scenario is the company will have done more than is strictly necessary and will have become an improved organization for the effort.

Members of the final category, everyone else, will likely see some changes as well, though this will depend on the final decisions of the Secretary of Health and Human Services around business associates. The most likely change will be that consumers must identify themselves more strongly to business associates in order to be granted access to information. Similarly, companies that provide services to business associates will quite likely see more security and privacy terms in their contracts, especially if they have any dealings with systems that contain PHI.

HITECH (not to mention recent HIPAA enforcement activities) has shown that the government now takes the security and privacy of medical records far more seriously than it has in recent years. As a result, all covered entities and business associates should proactively review their security and privacy policies, processes and controls, and evaluate where they stand. Time flies, and February 2010 will be here much sooner than it may seem. There is always the option of taking a chance and choosing not to comply, though given that HITECH allows for both federal and state criminal and civil proceedings to be brought against non-compliant companies and their executives, you won't see me advocating that choice to anyone I work with.

About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.

This was last published in April 2009

Dig Deeper on HIPAA

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.