HIPAA Omnibus: Benefits for Patients'Lots of Positives' in the New Rule
Consumer advocate Deven McGraw, who advises federal regulators, expects authorities will initially ease into enforcement of the new HIPAA Omnibus Rule.
"I do think that the HHS Office for Civil Rights is going to be very careful in the initial implementation phase of the Omnibus Rule, not to come down too hard on folks who are trying to do the right thing - who are trying to understand what the rule means but haven't quite gotten there yet," says McGraw, director of the privacy project at the Center for Democracy & Technology.
OCR is slated to enforce the rule starting Sept 23.
McGraw says there might be a period of time when OCR focuses on using its counseling authority to work with organizations that are in violation of the rule, rather than issuing fines. "How long that period of time will last I don't know," she says in an interview with Information Security Media Group (transcript below).
She also believes OCR may initially enforce the new HIPAA Omnibus Rule more strictly for larger healthcare providers and business associates than for smaller ones. "They have more staff; they have the capability to deploy resources quicker," McGraw says.
In the interview, McGraw also discusses:
- Why the Omnibus Rule is good news for consumers;
- Why more guidance is needed to assist healthcare providers with compliance;
- What consumers should do if they suspect they're a victim of a health information privacy breach.
In addition to her role at the Center for Democracy & Technology, a Washington-based, not-for-profit civil liberties organization, McGraw, an attorney, is chair of the Privacy and Security Tiger Team of the Health IT Policy Committee that advises the Office of the National Coordinator for Health IT on the HITECH Act incentive program for electronic health records.
MARIANNE KOLBASUK MCGEE: In the last year, there have been a number of breaches involving smaller covered entities that ended up with big monetary fines from HHS. Do you expect that this trend will continue ... under HIPAA Omnibus?
DEVEN MCGRAW: I think it's a little hard to tell. Certainly the risk of that is there. I do think that the Office for Civil Rights is going to be very careful in the initial implementation phase of the Omnibus Rule, not to come down too hard on folks who are trying to do the right thing - who are trying to understand what the rule means but haven't quite gotten there yet. [Enforcement may be greater] for some larger organizations where the expectations are higher and should be higher - they have more staff; they have the capability to deploy resources quicker. ... I do think that for the new obligations in particular, there might be a period of time where the Office for Civil Rights uses its counseling authority and says, "This is not right, but you have some time to fix it," versus fining them. How long that period of time will last I don't know.
MCGEE: How about the business associates, because they seem a bit confused about omnibus, which requires them to comply with HIPAA.... What do you think will happen?
MCGRAW: For business associates, it could be a different story, depending on the size of the business associate. Larger business associates who serve multiple healthcare entities will have a set of expectations that they're going to need to be compliant fairly quickly after OCR starts enforcing in September. [For] smaller BAs, it's another story. If you have a bit of a mom-and-pop operation that does the medical transcription for the local hospital, I do think the Office for Civil Rights will treat that differently. What their expectations will be, though, is a little bit of an unknown.
Top Concerns for Smaller Providers
MCGEE: Do you have any sense of what's giving the most trouble to smaller providers in terms of them understanding what HIPAA Omnibus means, let alone the HIPAA security and privacy rule?
MCGRAW: I'm glad you added that "let alone the HIPAA security and privacy rule" caveat, because the truth of the matter is that we still have a significant portion of the provider community, mostly the small provider community, that does not understand the HIPAA that has existed and been in effect since 2003, much less these new rules that just came into play. I think there will be a period of time where there's going to be a lot of confusion and a lot of misinformation, vendors trying to sell products and telling people that they have to do X, Y and Z, and [a lack of] good, widely available, objective information for them to use and rely on to be able to make the right decision.
There's guidance on the existing rules, and the Office for Civil Rights is doing more to try to get that out and to make that more accessible, such as through short videos. ... But there are still lots of questions that are being raised about what the Omnibus Rule really means. To the extent that you still have lawyers trying to figure it out, I think it's a stretch to think that the small providers can figure it out by September of this year and be able to implement it. As is always the case, we're going to need more and more guidance from regulators, ideally from lawyers, to help these small practitioners to comply.
Advice for Consumers
MCGEE: What's your advice to consumers who suspect that there has been a breach of their privacy with their health data? Are there any steps that they need to take, anything new under HIPAA Omnibus related to that?
MCGRAW: The Omnibus Rule did change the definition of breach in a way that we think is really much better for consumers. Previously, you didn't have the right to be notified of a breach unless the breaching entity decided that that breach would cause you a significant risk of harm. Now the standard has changed, and a breach of health information is presumed to be a breach that's subject to notification unless the covered entity does an investigation of the facts and decides that there was a low probability that the information was compromised, that somebody who wasn't supposed to see it saw it or that it was exposed to multiple people. If you as the consumer think that your information has been breached, definitely notifying the Office for Civil Rights and your state attorney general - which also has the authority to both investigate and pursue claims under HIPAA - is what I would do.
If you have a good relationship with your healthcare provider, it's not a bad idea to call them and say, "I got something that suggests to me that some information may have been breached out of your office," because it's quite possible that maybe it was done by a contractor and they had no idea that it happened. But it's really up to you as the consumer to decide whether that's something that you want to talk to the institution, your physician practice or your health plan about if you think it might have come from that angle, or to just go ahead and call the regulators.
Omnibus: Pros, Cons
MCGEE: Regarding consumers and HIPAA Omnibus, what would you say are the biggest negatives and positives for them?
MCGRAW: There are lots of positives in the rule for consumers. The breach notification definition that I just talked about - the presumption that a breach is subject to notification versus no notification unless you're harmed or they decide you might be harmed - it's just a much better scenario for consumers. There are changes in the marketing rules that are going to give patients more of a right to control when their health information is used to market products or services to them. The previous rule did not have a very strong set of protections. The requirement that business associates can now be held accountable by regulators means that it's less important that the data is shared downstream because the regulators can hold that entire stream of entities responsible. They were not able to do that in the past. It's a better enforcement environment for privacy and security rules generally.
Patients also have greater access to their health information. If you have a provider who uses an electronic medical record and you want an electronic copy of that information, you can get it electronically. Unfortunately, it still might take you 30 days to get it, but at least you can get it in the form that you want. If you want your doctor to e-mail you and you just want them to use your regular old e-mail because that's more convenient for you versus the secure e-mail portal that you might be forgetting the password to, you have the right to get the information in the form or the format that you want, and that's good.
MCGEE: There's a lot of talk about how the HIPAA privacy rule is more about processes and the security rule is about the technologies. Are there any key technologies that get the spotlight with HIPAA Omnibus that you think will be more important for healthcare providers to be paying attention to?
MCGRAW: I certainly think the electronic access provisions and the requirement to provide patients with some form of electronic copy puts the focus on technology and really requires them to think through a technical solution. But providers are going to have to have some technological way to get patients an electronic copy. I think that's a big part of it.