HIPAA Final Rule Raises Fines for Non-Compliance

The HIPAA omnibus final rule released by the Department of Health & Human Services January 17 will cost hospitals some time and money in regulation analysis, training, and policy revision, but shouldn't break the bank, healthcare leaders and privacy and security experts say.

The HIPAA "mega rule," so-called by some in the industry, represents the largest set of modifications to the HIPAA privacy and security rules to date.

"The new law needs to be analyzed and will have some impact on current processes, although they appear after my high level review to be expected and minor in nature," says Chris D. Van Gorder, FACHE, president and CEO of Scripps Health in San Diego.

"There will be costs to Scripps to analyze the regs, revise policies, revise and distribute the Notice of Privacy Practice (NPP), and to revise our standard Business Associate agreement if legal determines that is necessary and get our BA's to sign the new version."

The final omnibus rule enhances a patient's privacy protections, provides individuals new rights to their health information, strengthens the government's ability to enforce the law, and requires updates to business associate contracts.

The rule, required by the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law in February of 2009, is enforceable beginning September 24. It holds accountable third-party subcontractors who use and disclose PHI to HIPAA rules and penalties.