Attorney: Revisit HIPAA ComplianceWith Tougher Penalties Looming, It's Time to Review Policies
The proposed rule, which regulators are now fine-tuning for a final rule due out soon, would toughen enforcement and set penalties of up to $1.5 million for violations of the HIPAA privacy and security rules, Nahra stresses. As a result, "This is a good opportunity to revisit your HIPAA compliance efforts" to help ensure your organization doesn't get hit with the tougher penalties, he adds.
In an interview (transcript below), Nahra also:
- Stresses that business associates providing services to healthcare organizations, as well as their subcontractors, must comply with HIPAA under the pending rule.
- Alerts business associates that "they are now moving from a situation where they had contractual obligations to one where they have both contractual obligations and very substantial legal compliance obligations."
- Laments that the pending rule lacks details on specifically what should be included in healthcare organizations' contracts with business associates. But he, nevertheless, calls on organizations to revamp the contracts to spell out the need for HIPAA compliance.
Nahra is a partner at the law firm Wiley Rein in Washington, where he specializes in healthcare, privacy, information security and compliance issues. He is chair of the firm's privacy practice and co-chair of its healthcare practice. He is a member of the board of directors of the International Association of Privacy Professionals and serves as editor of its Privacy Advisor newsletter. He is a Certified Information Privacy Professional.
HOWARD ANDERSON: The HHS Office for Civil Rights recently issued a proposed rule calling for extensive revamping of the HIPAA privacy and security and enforcement rules as called for under the HITECH Act. What do you consider to be the most significant components of the proposed HIPAA modifications?
KIRK NAHRA: The proposed rule that HHS issued is implementing what the HITECH Act already said they should be doing. ... HHS ... has gone ahead and proposed what the terms of that rule are going to look like. ... This is just another step in what has been a continuing evolution of the HIPAA privacy and security rules over the last few years.
Let me mention a couple of the biggest changes and then we can talk about some them more specifically. When I look at both the law and the regulations, there are several major areas of change. One is the enforcement that is out there. The government under this new law and the new rule has significantly more authority to issue penalties. The penalties increase the maximum from $25,000 to $1.5 million, which is obviously a dramatic increase. There are also new enforcement agencies, with the state attorney's general of all 50 states being able to enforce the rules. There is a requirement to have notification of individuals in the event of security breaches, which is already starting to have a very significant impact across healthcare industry.
And then we have the extension of these principles to what are called business associates -- basically the service providers. Service providers have always had to follow contracts about privacy, but now they have to follow the law as well. So this is going to be a real challenge for all the service providers in the healthcare industry.
Business Associate ContractsANDERSON: Was there anything left out of the proposal for HIPAA modifications that you would have liked to have seen included?
NAHRA: One of the things that HHS said at the beginning of its discussion in this proposed rule was essentially that it was going to not only put into effect what the HITECH law said it had to put into effect, but also make some changes to the rule based on its experience over the last several years in applying, interpreting and enforcing the rules. So that set the stage that they were going to make some other changes, but then they really didn't do much.
So I think there was a little bit of a missed opportunity to correct some of the other issues that have come up in the past. They did, for example, say that they were going to find that medical records of people that have been dead for more than 50 years are no longer going to be subject to these rules. So that was one of the changes they made. I'm not sure that has a lot of impact for people, but they didn't do as much as they could there.
They also could have done more to deal with what's called a business associate contract, which is the agreement that a hospital or a doctor's officer or a health insurer has to sign with its service providers. The guidance that they came out with was late. People have been trying to make changes to those contracts for a year and half now. They also didn't really tell us what should be in those contracts to reflect the new rule. Again, this is a missed opportunity.
There were some parts of the HITECH law that I thought were a little confusing, and I think HHS didn't really do a lot to try and deal with those confusing aspects. They really just applied the law as it was written and moved it over to the privacy and security rules. So I think we're still going to have some confusion when these rules go into effect. Although, I should say that what is out now is a proposed rule, meaning that the healthcare industry had a chance to give comments to the government and there will be a final rule issued in the future. So again, we may see some more changes. We could see some of those open issues actually addressed in the final rule, even though they weren't addressed in the proposed rule.
HIPAA ComplianceANDERSON: Based on the proposed HIPAA modifications, what are the most essential new steps that hospital, physician groups and other healthcare organizations should take to prepare for compliance?
NAHRA: Well first of all, I'd hope that their compliance efforts are already well under way. This law was passed back in 2009 and so most companies knew what the boundaries of this new set of principles was going to be. At the same time, we know that there is going to be more enforcement, and so one of the messages that was sent to the healthcare industry when the law was passed was: "This is really an important thing."
You've got to continue to have a high focus on privacy and security compliance, and there is going to be more enforcement if you don't do a good job on it. So I would hope that people in the healthcare industry have been engaging in compliance efforts on an ongoing basis. We're seeing lots and lots of security breaches in the healthcare industry. It's not limited to healthcare. We're seeing security breaches in all aspects of corporate America, but the healthcare rules now make these breaches much more visible, and healthcare consumers are very nervous about what is going on with their medical information and their insurance information. So companies really have to put a very high focus on paying attention to security breaches, being aware of problems, fixing problems quickly, and acting on an ongoing basis to improve their security practices.
There do need to be new contracts with business associates. That is a very big project for lots of companies who might have hundreds or even thousands of vendors that they deal. So they have to spend some time and energy on redoing those contracts. There are some new provisions involving marketing as well. ...
But on the whole, I think this is really a good opportunity for companies to revisit their overall HIPAA compliance efforts. The HITECH changes were very significant. ... Because of the new enforcement authority, I've certainly been encouraging the companies that I work with to use this opportunity to revisit all of their HIPAA compliance steps. They need to make sure they are doing the right things; make sure they are still comfortable with where they are in connection with all of the HIPAA rules because I think this is just going to be generating a lot more attention to these issues in the future.
HIPAA and Business AssociatesANDERSON: What about advice for business associates now that they have to comply with HIPAA as well? What should they be doing?
NAHRA: The business associate community is still really trying to deal with all the implications of the new HITECH laws. And one of the most significant changes that came out of the proposed rule was that HHS actually has made this even more significant than we thought. The business associate communities are the people who contract directly with hospitals and health insurers, for example. There are downstream contractors who are called subcontractors and we didn't think ... the new law was going to apply to all of those downstream contractors as well. HHS in the new proposed rule has said, however, that it does extend to all of those downstream contractors. So there are a whole lot of new companies that have to follow the HIPAA rules, assuming that the provision becomes final.
So business associates need to realize that they are now moving from a situation where they had contractual obligations to one where they have both contractual obligations and very substantial legal compliance obligations, and that any failures to meet those legal compliance obligations will be subject to potential enforcement at much higher levels.
So it's really a double whammy for the business associate community. We're going to see some real challenges for companies that are only partially in the healthcare industry. If you are a service provider whose sole customer base is in the healthcare industry, you've been following these rules and hopefully you've developed a compliance program already. Where I think we're going to see more problems is for companies that provide services to lots of different industries, with healthcare being only a little component of it, because they are going to have to make some fairly dramatic changes across their entire business.
From the business associate prospective, there are two big categories that people need to be aware of. There is the HIPAA privacy rule, which sets forth what you can and can not do with information you get from your clients. That is actually not a very big area of change for business associates, because they had to follow a contract before, and so the major impact is that they now have a legal obligation to follow what is in the contract.
Where business associates and subcontractors are going to face dramatic changes is in connection with the HIPAA security rule, because they now have to move from a contractual requirement under the old standards, calling for reasonable and appropriate security, which is obviously a very flexible and somewhat amorphous standard. Now under these new rules, they are going to have to follow all of the elements of the HIPAA security rule, which is very detailed and very specific, and that is really going to be a major effort for most business associates that are now subject to these rules.
Advice on PrivacyANDERSON: Finally, based on your experience advising healthcare organizations, what advice would you offer on how to insure the privacy of electronic health records in general?
NAHRA: There is a dichotomy between what's going on with electronic health records in general and these privacy and security rules that are applied to them. The economic stimulus legislation is what led to these new privacy and security rules. That is a little bit of an odd jump. The reason that economic stimulus legislation had privacy and security provisions is that, as part of the stimulus legislation, there were incentives passed for healthcare providers to implement electronic health records.
So on the one hand, we've had a goal across the country for the last few years of building up more and more electronic health records because there are some real benefits to having those records. At the same time that Congress gave with one hand these incentives, they imposed with the other hand some new burdens to follow these new privacy and security rules. So what we're seeing is a desire to have more and more of these electronic health records because of the benefits on the quality of medical care, reducing expenditures, reducing unnecessary administrative costs, reducing unnecessary additional testing, but at the same time a real significant concern with privacy and security in those records. So it's an area that people have to pay a lot of attention to.
There are a lot of moving parts right now, both in terms of developing standards for these records and developing the rules that are going to be used for the exchange of these electronic health records. And I think that is really an area we're going to be spending a lot of time, energy and, frankly, money, over the next four or five years as the healthcare system moves toward building these electronic health records and developing an effective system for healthcare providers and insurers to exchange this information in a way that really presents some positive benefits for the healthcare system.