HIPAA Final Rule Raises Fines for Non-Compliance
"From my perspective, a covered entity or business associate's most important reaction to the final rule is to make sure that it has recently undertaken a Security Rule risk analysis," Rostolsky says. "Although the final rule includes many areas of significant change, the Office for Civil Rights (the HIPAA enforcer under HHS) is clearly viewing the failure to conduct a risk analysis as a key trigger to enforcement action."
Further, BAs, covered entities and now those subcontractors of BAs who use and disclose PHI on behalf of BAs must update business associate contracts within 180 days from the date the rule is published in the Federal Register (January 25).
"The HITECH rules already addressed this, and enough guidance was provided in HITECH and within that next year so that Scripps has already revised our standard BAA," Van Gorder says. "We might expect that some smaller BAs may go out of business or change their business if they are un-willing or unable to comply with the HIPAA rules, particularly the Security Rule."
A major rule regarding HIPAA privacy is still due: The accounting of disclosures rule that will greatly impact patients' rights to request records and potentially give them more access to who viewed their records through an "access report."
"I would share with a board that it doesn't seem these final rules are creating too many ripples in the HIPAA pond," says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, AZ.
"But be aware that one of the big questions about whether patients' will have the right to an access report has yet to be answered. That is one area I see as one of the most challenging and ambitious HIPAA requirements to be decided upon."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- CMS Mulls Income-Adjusting MA Stars
- Providers Prep for New Payment Models as Population Health Grows
- 3 Ways to Rev Employee Development Programs
- Transforming Decision Support and Reporting
- Providers' Push to Consolidate Roils Payers
- As Retail Clinics Surge, Quality Metrics MIA
- Aligning Executive Compensation with Provider Mission
- Nurse Ethics Comes to a Head at Guantanamo Bay
- In Lakeport, CA, a Population Health Laboratory is Born
- 6 Not-So-Good Reasons for Avoiding Population Health