New HIPAA Regulations

New HIPAA Regulations

How Was HIPAA Changed by the Final Omnibus Rule of 2013?

Contrary to what many believe, not a lot changed when new HIPAA regulations were enacted by the Final Omnibus Rule of 2013. The inclusion of Business Associates and third-party service providers under the HIPAA umbrella was a relatively minor – and anticipated – change, as was the new HIPAA regulations regarding patient requests for their healthcare information, and the need to seek approval before using a patient´s healthcare information for marketing or fundraising purposes.

Possible the most significant of the new HIPAA regulations for healthcare organizations was the revised definition of what constituted a breach of Protected Health Information (PHI) and when it should be reported to the Department of Health and Human Resources Office of Civil Rights.

Whereas previously, covered entities only had to report a breach if it posed a significant risk of harm to the patient´s finances or reputation, the new HIPAA regulations stipulate that any loss or inappropriate disclosure of PHI has to be reported unless it can be proven that there is a low probability that the data will be used improperly.

The new HIPAA regulations also introduced tougher financial penalties for noncompliance with HIPAA. The former upper limit of $25,000 was doubled to $50,000 per breach per day, with an upper annual limit of $1.5 million. The extra funds raised by the increased fines will be used to implement stricter enforcement of the HIPAA regulations – meaning that healthcare organizations would be best advised to implement measures that will prevent unauthorized access to, and the inappropriate disclosure of, PHI.

Breaches of PHI and When to Report Them

In addition to the new HIPAA regulations, the Final Omnibus Rule tightened up certain existing regulations within HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. For example, the HIPAA Information Access Management Rule now states that authorized users can only be granted access to PHI once a documented process has been completed that establishes the identity of the user and their need to access PHI. Effectively, blanket authorization of an entire workforce is no longer accepted.

In order to establish that a breach has occurred, HIPAA covered entities should have mechanisms in place to record access to PHI and how it is used. Consequently covered entities should be able to determine when anybody has accessed PHI without the documented process having been completed, or when anybody has accessed a higher level of PHI than they are entitled to. The new HIPAA regulations relating to breaches of PHI also apply to the incorrect disposal of Protected Health Information.

To determine whether or not the breach should be reported to the Office for Civil Rights, covered entities should complete a risk assessment that covers four elements.

  1. The type of information that has been accessed. If an unauthorized person has gained access to information about a disease that could harm a patient’s reputation (i.e. a sexually transmitted disease), their credit card number or Social Security number, there is a high risk that the information will be used for inappropriate purposes.
  2. The person who has accessed the information. If the unauthorized person is known, and the PHI that has been accessed can be recovered without the risk of harm, then the probability of misuse of the data is low and it may not be necessary to report the breach. If the person who has accessed the data is unknown, the breach must be reported.
  3. Whether the PHI was actually seen or used. In the event that a healthcare provider has lost their Smartphone and the mobile device has been used to receive messages containing PHI, it must be assumed that a breach of PHI has occurred and the breach reported (even though there is only the potential for a breach) unless the mobile device is later found and an analysis shows that the messages were never accessed.
  4. How well the risk has been mitigated. A mitigating factor could be that the covered entity gets assurance the accessed PHI will not be used or disclosed, or will be destroyed. That makes the risk of inappropriate use low and the breach not reportable depending on who the assurance comes from. Assurance from a business associate is usually worth relying on. Assurance from an unrelated third party with no obligation to comply with HIPAA is different and the breach should be reported.

Avoid Breaches of PHI with a Secure Messaging Solution

The simplest way to avoid breaches of PHI – and the fines associated with them – is with a secure messaging solution. Secure messaging solutions help healthcare organizations comply with the new HIPAA regulations by encapsulating all electronically transmitted PHI within a private communications network. Authorized users are set levels of access to PHI with a unique username and PIN for a secure messaging app that encrypts PHI when it is in transit.

Mechanisms exist to prevent PHI from being sent outside of the private communications network, copied and pasted, or saved to an external hard drive. Message lifespans and automatic logoffs prevent PHI being disclosed when mobile devices are left unattended; while, if a Smartphone is lost or stolen, administrators have the ability to PIN-lock the app to prevent the potential breach of PHI mentioned above.

Secure messaging solutions comply with the administrative, physical and technical requirements of the HIPAA Security Rule and assist with compliance to the HIPAA Information Access Management Rule. By restricting access to PHI with a secure messaging solution, the likelihood of a breach of PHI is reduced, and the probability of passing a HIPAA audit greatly increased.

Find Out More about the New HIPAA Regulations

To find out more about the new HIPAA regulations, who they apply to, and the changes made to HITECH in the Final Omnibus Rule, you are invited to download and read our “HIPAA Compliance Guide”. Our guide provides valuable information about all areas of HIPAA legislation – with particular reference to PHI breaches and how they can be avoided – and illustrates the benefits of secure messaging solutions with case studies from healthcare organizations that now use secure messaging solutions to comply with the new HIPAA regulations.