Interview with security expert Tom Walsh on the proposed HIPAA privacy, security and enforcement rule revisions.

To avoid paying tougher penalties, healthcare organizations and their business associates need to begin preparing to comply with the proposed revamp of the HIPAA privacy, security and enforcement rules, says security expert Tom Walsh.

In an exclusive interview, Walsh says the proposal's most significant components are:

• An explanation that ignoring the HIPAA rules amounts to "willful neglect" and can result in the maximum penalties;
• A clarification that business associates and their subcontractors must comply with HIPAA; and
• A description of patients' rights to access their health records.

Walsh also:

• Advises business associates to take a closer look at all their security safeguards.
• Advises hospitals, clinics and other "covered entities" to get ready to rewrite their business associate agreements as well as the "notice of privacy practices" they give to patients.

Plus, he says he's disappointed that the proposal includes relatively few changes to the HIPAA security rule, which has not been updated since 2003, despite major advances in technology. Walsh says, for example, that the proposal should have addressed the issue of ensuring security for remote access to information systems.

Walsh is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies. He is one of the authors of the book, "Information Security in Healthcare: Managing Risk," published by the Healthcare Information and Management Systems Society.