Digesting the HIPAA Proposed Rule
The proposed rule that modifies the HIPAA privacy, security, and enforcement rules has been published in the Federal Register for about a week.
And while it may not be time to flip your HIPAA compliance program upside down—it is, after all, a proposed rule that could go final anytime after the last comment is sealed by HHS Sept. 13—you should take note of several items from the rule.
The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will be co-hosting the HCPro, Inc. audio conference, "HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations," Tuesday, August 31:
- HIPAA and HITECH applies to business associates (BAs). “Including clear indication that HIPAA and HITECH applies to BAs is a great idea,” Herold says. “I've spoken to many BAs who still believe that they only have to have the BA agreement in place, and I've had multiple covered entities (CEs) point out that the HHS has never explicitly stated that they needed to do more than provide a BA agreement for their BAs. If accepted and implemented as worded, the changes in the [proposed rule] make it much more clear that the CEs' responsibilities must go beyond just having a BA agreement.”
- New definition of “standard.” Herold calls replacing “individually identifiable health information” with “protected health information” in the definition of “standard” a strong idea. “This has always been a point of confusion for many/most CEs, and then last year for BAs.”
- Subcontractors now BAs. Many subcontracted entities handle PHI, and it makes sense to make them BAs by definition and liable for breaches. “Including subcontractors is a very good thing,” Herold says. “They provide many of the breaches.” It’s also a good thing to see the following entities included under HITECH, such as:
- Patient Safety Organizations (PSOs)
- Health Information Organizations (HIO)
- E-Prescribing Gateways
- Other persons that facilitate data transmission, as well as vendors of personal health records
- Updated definition of "Electronic Media." The original definition became outdated quickly, Herold says. “The new one does allow for ongoing technological innovation and changes to be covered,” Herold says. “Pointing to a NIST definition is a good way to have it more consistent with other laws and regulations that also use this definition.”
- Half of All Primary Care, Internal Medicine Jobs Unfilled in 2013
- How Digital Strategy Shapes Patient Engagement at Boston Children's Hospital
- CFO Exchange: Smartphones Poised to Disrupt Healthcare, Says Topol
- CNO on Hospital Redesign: 'You Can't Over-Communicate'
- Carondelet to Pay $35M to Settle Fraud Allegations
- Some Cancer Hospitals' Quality Data Will Soon Be Public
- PA Ranks See 'Phenomenal Growth,' Lack of Diversity
- Consumerism Drives Healthcare Branding, Rebranding Efforts
- CA Powers Up $80M HIE to 'Create Value in the Data'
- 3 Traits Personality Assessments Can't Reveal