HIPAA Modifications: How to Prepare

Attorney Advises Focusing on Business Associates

By , December 14, 2012.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
HIPAA Modifications: How to Prepare
 

Listen Now

Healthcare organizations need to more closely monitor how their business associates protect the security of patient information and step up risk assessments as they prepare to comply with looming HIPAA modifications, says attorney Lisa Sotto.

As proposed, the long-overdue HIPAA modifications, which may be released in the coming weeks, would require business associates and their subcontractors to comply with the HIPAA Security Rule.

"We see a growing number of breaches happen when business associates possess PHI [protected health information]," Sotto says in an interview with HealthcareInfoSecurity. "CISOs and CIOs should look at the HIPAA [modifications that are pending] as an opportunity to improve business associate security. It's important for healthcare entities to focus their energies on seeking to prevent these sorts of incidents," says Sotto, who heads the global privacy and data security practice of law firm Hunton & Williams.

A pending omnibus package of regulations includes several components, including modifications to the HIPAA privacy, security and enforcement rules; a final version of the HIPAA breach notification rule; and a measure spelling out that using genetic information for insurance underwriting purposes is a privacyviolation as well as discriminatory under the Genetic Information Non-Discrimination Act.

Other Regulations

In the interview, Sotto points to other pending regulations, including:

  • A final rule that would modify the HIPAA Privacy Rule standard for accounting of disclosures of protected health information that adds new requirements for access reports. The pending regulation was placed on hold when its requirement for detailed reports about who accessed patient records proved controversial. "It's complex and confusing and would impose a substantial, costly technological burden on covered entities," she says.
  • State privacy regulations. "There may be additional new state privacy laws enacted," Sotto says. Texas enacted privacy laws in September that are broader than HIPAA, she notes.

Sotto's other top HIPAA compliance advice for 2013 is to update risk assessments. According to OCR audits and breach investigations, the biggest HIPAA compliance deficiency at health organizations is the lack of a current risk assessment (see: HHS Offers Mobile Device Security Tips.)

As managing partner of the New York office of Hunton & Williams LLP, Sotto heads the firm's privacy and data security practice. She also serves as chair for the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Sotto is a board member of the International Association of Privacy Professionals, serves as the chair of the New York Privacy Officers' Forum, and is a member of SAI Global's Law and Ethics Advisory Board.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Verizon: Breaches Under-Reported Globally

Although breaches affecting U.S. retailers are widely reported, Verizon's new PCI Compliance Report...

Latest Tweets and Mentions

ARTICLE Verizon: Breaches Under-Reported Globally

Although breaches affecting U.S. retailers are widely reported, Verizon's new PCI Compliance Report...

The ISMG Network