This article appears in the September issue of HealthLeaders magazine.
Spurred by stricter and closer regulation and enforcement, healthcare providers spent the summer scrambling to update their ability to abide by the federal privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act .
The new rules kick in on September 26, 2013. Providers can expect random audits, fines that now rise based on the number of records compromised, more frequent and sterner communications from HHS' Office for Civil Rights, and a surge in formal complaints from patients who ask for, but do not receive in a timely fashion, their medical records upon request.
"Before, it said, when you have a breach, you can use your judgment to decide if there was risk of harm to the patients," says Pamela McNutt, CIO at the six-hospital Methodist Health System in Dallas. "Under the new omnibus rule, they actually gave some very specific criteria that you have
For instance, if someone left some records with protected health information in a box somewhere, before the rule change, if the box turned up on the provider's doorstep or some third party hands the box back to the provider, normally a breach notification did not have to be issued. Now, such breach notifications become mandatory.
Investigators remain lenient for first-time breaches if the breach is addressed properly. "If you haven't done your due diligence, then that's where you open yourself up to the fines," McNutt says. The new omnibus rules "just really put very solidly in writing exactly what you need to do to determine risk. It does turn it into 'assume you're guilty unless you can prove you're innocent.' "
The OIG's promise of random HIPAA audits, even without a breach notification, is putting even more focus on compliance, McNutt says. "The privacy of patient records is not where it needs to be. We're having too many breaches.
Most of the American public can understand somebody's laptop was stolen and it had some data on it, versus when you hear some of these other stories like some company found a hole in their Internet system and found out that people for years have been able to peruse patient records through their Internet. But I think the public's forgiveness is going to be based on how grievous they perceive the error was."