Healthcare Compliance: HIPAA Privacy and Security Rules Updates


Learn how business associates are now covered directly under the HIPAA rules

Read this expert HIPAA training article and get the skinny on the latest HIPAA updates you must know to ensure compliance.

The Privacy Rule: The Privacy Rule has been around since 2003 so we're coming up on 10 years now since that's been enforceable and that's April – it was in April 2003 that it went into effect. It was enforceable in April 2003. So we're coming up on 10 years of its being in effect.

And it – basically, what we're talking about with the Privacy Rule is it looks at this lump of data that is patient information that's held by some kind of an entity. So you got this patient information held some kind of an entity.

What we're talking about is the right that the individuals have for what kind of access they may have over that or how they can get copies of it or ask for changes to it or find out who's been looking at it and things like that. So there are certain rights that individuals have about that information.

There are certain limitations that the entities have on how they can use or disclose that information as per recent HIPAA regulations. So it's all about the – it's all about the health information but it has to do with individual rights to get to them on one side and the controls for what the entities can do with the data on the other side to make sure things are being done properly. And there are some baseline privacy and security protections right there in the Privacy Rule.

The Security Rule: It came along just a couple of years after the Privacy Rule went into effect. Just by the time it really was finally getting over the Privacy Rule and the flurry of paper and the adjustments and the policies and the fear and the – realizing that it really didn't amount to much after all. Once you have got everything working, it was just a matter of doing things in a sensible and organized way. The Security Rule talks about the safeguards for protecting all that electronic information.

It's very goal-oriented. It really sets up some objectives that you need to have and then you use risk analysis to figure out what is right for you to be in HIPAA compliance, what are the risks that you are facing based on how your data is, where it's sitting and where it's moving around. Because wherever data is sitting some place or moving some place, that's where something can go wrong.

So you need to use some risk analysis to figure out what are the – what are the really – what are the risks that you have and how can you mitigate those for people to go ahead with some sense of security.

It's actually – it's one of the nicer security HIPAA regulations out there because they do recognize the flexibility that needs to be there because it covers everything from a little tiny doctor's office to a big hospital corporation with multiple facilities and tens of thousands of employees.

The thing about it now is that here is the big change, is business associates are now covered directly under the HIPAA rules. And even for criminal cases, identify theft cases are even using HIPAA as a statute to go after bad guys who use – who use patient information.

But the big takeaway on these rules here is in the past, business associates have not been beholden directly to the rules; they've been beholden to their contracts that they had with the covered entities.

And what's changing is that now as of March 26, the business associates will now be directly covered under the HIPAA rules and will be required to have the same kinds of policies and procedures and safeguards and all those kind of stuff in place for the Privacy and the Security Rule for the covered entities. The business associates will have to have those same kind of things in place.

They will be – they will be able to have until September 23rd to be in compliance. We'll be an extra, you know, six months past the – past the effective date. All the business associates have to deal with this and they have until September 23rd to have a fun summer, right, spending the whole summer of figuring out how to be HIPAA-compliant.

But anyway, so – that's a – that's the Privacy and HIPAA Security Rules. And they're sort of – the big bang takeaway for things is that the business associates will now be covered directly under the rules.

HIPAA Breach Notification Rule: This is one that's been in effect as in interim final rule since February of 2010 and it's been enforced actually – it's been enforceable – it's been an interim final rule since 2009. It's been enforceable since February of 2010.

And it's been – and finally we have a final rule published. And there are some changes from what they had in place for the rule prior to this because the rule actually was still in effect. When it changes it will on March 26 but the final rule has been published.

But the way this works is the – is the breach notification rule, it works with the Privacy and HIPAA Security Rules. And what it means is if there's some kind of a privacy violation, then you have to look and see, “Well, is this – is this something that qualifies as a breach? And is this something that we need to report to Health and Human Services and to the individuals?” And if it is a breach, then you have to report it to them.

You could save more than half the HIPAA breaches if people just were properly encrypting electronic stuff – all those backup tapes, all those laptops, all that data wandering around there.

It's such a huge and clear problem that they're making plenty of examples of people who don't encrypt their laptops and they – when they have enforcement actions. And they're making very painful examples for those who haven't encrypted their laptops and haven't encrypted their backup tapes and things like that. Now is the time to do that. No more excuses. That's the way it is.

Now, there are some, you know, the thing is it is very expensive to have to – to have to respond. If you have a breach, you may have to, you know, you may have to send letters to perhaps thousands of people.

There's a whole bunch of things to think about with breach notification, not to mention the fact that you have to integrate how you respond to the federal rules with also – with your state healthcare rules because those are still in effect as well.

At least 46 states have – plus Virgin Islands and D.C. and, you know, Puerto Rico, these all have breach notification HIPAA rules for financial information and you need to consider to those as well.

Visit AudioEducator and get the latest regulatory updates on HIPAA, home care, long term care and medical coding and billing topics.