"From my perspective, a covered entity or business associate's most important reaction to the final rule is to make sure that it has recently undertaken a Security Rule risk analysis," Rostolsky says. "Although the final rule includes many areas of significant change, the Office for Civil Rights (the HIPAA enforcer under HHS) is clearly viewing the failure to conduct a risk analysis as a key trigger to enforcement action."
Further, BAs, covered entities and now those subcontractors of BAs who use and disclose PHI on behalf of BAs must update business associate contracts within 180 days from the date the rule is published in the Federal Register (January 25).
"The HITECH rules already addressed this, and enough guidance was provided in HITECH and within that next year so that Scripps has already revised our standard BAA," Van Gorder says. "We might expect that some smaller BAs may go out of business or change their business if they are un-willing or unable to comply with the HIPAA rules, particularly the Security Rule."
A major rule regarding HIPAA privacy is still due: The accounting of disclosures rule that will greatly impact patients' rights to request records and potentially give them more access to who viewed their records through an "access report."
"I would share with a board that it doesn't seem these final rules are creating too many ripples in the HIPAA pond," says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, AZ.
"But be aware that one of the big questions about whether patients' will have the right to an access report has yet to be answered. That is one area I see as one of the most challenging and ambitious HIPAA requirements to be decided upon."