As proposed, the long-overdue HIPAA modifications, which may be released in the coming weeks, would require business associates and their subcontractors to comply with the HIPAA Security Rule.
"We see a growing number of breaches happen when business associates possess PHI [protected health information]," Sotto says in an interview with HealthcareInfoSecurity. "CISOs and CIOs should look at the HIPAA [modifications that are pending] as an opportunity to improve business associate security. It's important for healthcare entities to focus their energies on seeking to prevent these sorts of incidents," says Sotto, who heads the global privacy and data security practice of law firm Hunton & Williams.
A pending omnibus package of regulations includes several components, including modifications to the HIPAA privacy, security and enforcement rules; a final version of the HIPAA breach notification rule; and a measure spelling out that using genetic information for insurance underwriting purposes is a privacyviolation as well as discriminatory under the Genetic Information Non-Discrimination Act.
In the interview, Sotto points to other pending regulations, including:
- A final rule that would modify the HIPAA Privacy Rule standard for accounting of disclosures of protected health information that adds new requirements for access reports. The pending regulation was placed on hold when its requirement for detailed reports about who accessed patient records proved controversial. "It's complex and confusing and would impose a substantial, costly technological burden on covered entities," she says.
- State privacy regulations. "There may be additional new state privacy laws enacted," Sotto says. Texas enacted privacy laws in September that are broader than HIPAA, she notes.
Sotto's other top HIPAA compliance advice for 2013 is to update risk assessments. According to OCR audits and breach investigations, the biggest HIPAA compliance deficiency at health organizations is the lack of a current risk assessment (see: HHS Offers Mobile Device Security Tips.)
As managing partner of the New York office of Hunton & Williams LLP, Sotto heads the firm's privacy and data security practice. She also serves as chair for the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Sotto is a board member of the International Association of Privacy Professionals, serves as the chair of the New York Privacy Officers' Forum, and is a member of SAI Global's Law and Ethics Advisory Board.