Posted May 28th, 2013
By Allison Kibler M.Ed.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to make healthcare providers have safeguards in place to protect the confidentiality, integrity, and availability of patients’ private health information (PHI). In 2013 after much technical and digital growth, the U.S. Department of Health and Human Services (HHS) has introduced additional compliance requirements that providers and their business associates will need to implement by the September 23rd, 2013 deadline. The new rules move HIPAA enforcement away from the voluntary compliance framework and toward a penalty-based system with a maximum fine of $1.5 million per violation.
The biggest changes introduced by the HIPAA Final Omnibus Rule include expanding compliance requirements to business associates who handle provider’s PHI, the requirements for reporting to HHS after a data breach has occurred, the expansion of individual’s rights to access their PHI, and the prohibition of selling or using PHI for marketing and subsidized communications without patients’ permission. These changes increase patients’ rights and strengthen HHS’ ability to enforce HIPAA compliance.
Under the old rule, entities could avoid disclosure if they could prove a breach would cause no harm to the patient. Entities were presumed innocent of harming patients when a breach occurred – until they proved otherwise. Under the new rule, providers are presumed guilty of harming patients when data is breached. The burden of proof is on the provider or business associate at fault.
After a breach, a risk assessment must now be conducted documenting the following:
1. Nature and extent of PHI involved
2. To whom the information was improperly exposed and what harm could result
3. Potential of PHI actually being acquired and viewed
4. Mitigating factors applied to resolve the issue
Here’s a great article with more information: New HIPAA/HITECH Rules Implementation Roadmap: Countdown Begins to September 23, 2013 Compliance Deadline.
If you currently work in the healthcare field or plan to and deal with PHI, understanding HIPAA regulations is a necessity for your career. Learn more about HIPAA with one of Ed4Career’s current HIPAA compliance courses: HIPAA: An Introduction, HIPAA for Nurses, or HIPAA for Substance Abuse Providers.
