From: HealthLeaders Media
Scott Mace
Spurred by stricter and closer regulation and enforcement, healthcare providers spent the summer scrambling to update their ability to abide by the federal privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act .
The new rules kick in on September 26, 2013. Providers can expect random audits, fines that now rise based on the number of records compromised, more frequent and sterner communications from HHS’ Office for Civil Rights, and a surge in formal complaints from patients who ask for, but do not receive in a timely fashion, their medical records upon request.
“Before, it said, when you have a breach, you can use your judgment to decide if there was risk of harm to the patients,” says Pamela McNutt, CIO at the six-hospital Methodist Health System in Dallas. “Under the new omnibus rule, they actually gave some very specific criteria that you have
to consider.”
For instance, if someone left some records with protected health information in a box somewhere, before the rule change, if the box turned up on the provider’s doorstep or some third party hands the box back to the provider, normally a breach notification did not have to be issued. Now, such breach notifications become mandatory.
Investigators remain lenient for first-time breaches if the breach is addressed properly. “If you haven’t done your due diligence, then that’s where you open yourself up to the fines,” McNutt says. The new omnibus rules “just really put very solidly in writing exactly what you need to do to determine risk. It does turn it into ‘assume you’re guilty unless you can prove you’re innocent.’ ”
The OIG’s promise of random HIPAA audits, even without a breach notification, is putting even more focus on compliance, McNutt says. “The privacy of patient records is not where it needs to be. We’re having too many breaches.
Most of the American public can understand somebody’s laptop was stolen and it had some data on it, versus when you hear some of these other stories like some company found a hole in their Internet system and found out that people for years have been able to peruse patient records through their Internet. But I think the public’s forgiveness is going to be based on how grievous they perceive the error was.”
For providers without in-house expertise to train employees about securit and patient privacy, training materials are available for sale, she adds.
Providers must do all this while at the same time expanding authorized access and exchanging protected health information with patients and other providers.
“The more we’re pushing for transparency and interchange of records and patients being able to have a lot of access to their own records online, the more you have to think about security and privacy,” McNutt says. “We want to give patients portals, but how can we make sure that we’ve made it secure enough that someone can’t hack in and get that patient’s records? This raises the bar on the need
for security.”
As with all corporate security, that can be a tricky balance. Easy-to-remember passwords may be less secure than more difficult-to-remember ones, for instance.
Two more factors arriving at the same time as the new HIPAA omnibus rule are the provider movement toward storing PHI in the cloud and the bring-your-own-device phenomenon among healthcare employees.
Leave a Reply