On January 17, 2013, the long-awaited HHS HIPAA Omnibus Rule was posted on the Federal Register and has been the subject of much fanfare in the press. According to HHS Secretary Kathleen Sebelius; “the new rule will help protect patient privacy and safeguard patient’s health information in an ever-expanding digital age.” Leon Rodriguez, Director of HHS’ Office of Civil Rights (OCR), described the Omnibus rule-making as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”
True. But remember, while the rule does consist of “sweeping changes,” not many of those changes should be a surprise to anyone. The 563-page document is primarily a codification of changes to the HIPAA security and privacy rules as mandated by the 2009 HITECH Act. For the past 3+ years, many in the government and in the healthcare industry have been operating under the “spirit of the law” and abiding by several interim rules that laid out the protections and safeguards envisioned in HITECH.
Good for them. But that does not excuse the long delay in finalizing the privacy and security provisions contained in HITECH, nor the many times deadlines were missed as promised Final Rule publication dates came and went. Without the final Omnibus Rule in place, confusion and uncertainty was common, particularly among covered entities and business associates in regard to their responsibilities for safeguarding protected health information (PHI).
Consider that under HITECH, direct civil liability for PHI breach was to be extended to business associates and their sub-contractors. This indeed is a “sweeping change” (albeit one formulated in 2009) and a change that has been sorely needed. From September 2009 through the end of 2012, business associates were involved in 56.6% of a large PHI breaches (defined as those affecting 500 or more individuals).
From 2009-2012, did covered entities and business associates clearly understand each other’s responsibilities for protecting PHI under HIPAA and/or HITECH? For an issue as important as safeguarding patient’s health information, shouldn’t this have been made a high priority? When asked by HealthInfoSecurity.com about the reasons for the protracted delay in the HIPAA Omnibus Rule, Susan McAndrew of the HHS’ Office of Civil Rights said;
“You know I think the important thing is that the rule is about to be published in final form and I think we really need to keep our eyes on the prize and moving forward with the implementation of this rule so that these new rights become a reality for the consumer.”
I agree that we need to move forward. But past is often prologue. Perhaps the bureaucratic reasons for the long delay in publishing the Omnibus Rule can be swept under the rug. However, I’d suggest that in regard to safeguarding patient’s health information, the importance of the custodian chain between covered entity and business associate has been long overlooked by Washington. Note that not a single Business Associate was included in OCR’s first 120 HIPAA audits either. Sure it’s complicated. But to the extent the Federal government is going to play an enforcement role, it owes it to the healthcare industry to provide clearer guidance.
Covered entities and Business Associates now have until September 23, 2013 to be in compliance with the HITECH legislation passed in 2009. Over 50% of PHI breaches to date have involved a business associate. Let’s use these next 6 months to tackle this problem head-on. Redspin stands ready to help both covered entities and business associates meet the complexities and challenges of this issue. It will be critical to building patient-consumer confidence in the electronic health record system and in protecting your organization from reputational and financial risk.