Healthcare // Analytics
News
1/23/2013
01:28 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

HIPAA Changes Could Create New Bureaucratic Burdens

Modifications to HIPAA may take the focus off patients and pile on administrative work.

10 Mobile Health Apps From Uncle Sam
10 Mobile Health Apps From Uncle Sam
(click image for larger view and for slideshow)
Changes coming to the HIPAA Privacy and Security Rule mean added administrative work, and they could mean additional reporting, said Lisa Sotto, head of Hunton & Williams' global privacy and data security practice in an interview with InformationWeek Healthcare.

The Department of Health and Human Services recently announced what Office of Civil Rights (OCR) director Leon Rodriguez called "sweeping changes" to HIPAA that will strengthen the OCR's ability to enforce HIPAA.

The changes, also known as the final omnibus rule, are broken down into four parts, HHS explained in a PDF document. Among the four parts are modifications to the HIPAA security rule first proposed in July 2010; changes to HIPAA enforcement to incorporate the tiered civil monetary penalty structure provided by the HITECH Act; a final rule on breach notification for unsecured protected health information under the HITECH Act; and a final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit health plans from using or disclosing genetic information for underwriting purposes.

[ For the latest developments on Meaningful Use, see Meaningful Use Stage 2 Rules Finalized. ]

The final rule focusing on breach notifications creates a "significant shift" in the new issuance from a harm-based standard to a focus on the probability that data is compromised in any data leak, Sotto said. The interim final rule had used a harm threshold that meant companies had to notify patients of a data loss if there was a significant risk of patient harm. That threshold has been replaced by a presumption that data privacy is compromised when data is exposed, unless the organization can demonstrate there was a low probability that personal health information had been compromised based on a set of factors.

"The focus on harm to the individual and any injury the individual may suffer has been eclipsed by the question of whether the PHI has been compromised," she said. OCR considers this a more objective standard, but "I like the idea of the assessment focusing on the individual, rather than thinking about a breach in a vacuum without strong reference to the individual," Sotto said.

The new rules also could force organizations to know how data is handled by business partners. A "business associate" amendment was part of HITECH when it was first enacted in 2009. What's changed as part of the first rule, said Sotto, is that HHS has imposed an obligation "all the way downstream" to every subcontractor that has access to PHI. This results in "some very long chains of custody for data," she said.

"There's a huge bureaucratic burden that's about to hit because every business associate agreement in place needs to be amended, and a huge wave of businesses in the U.S. will be hit with business associate-like agreements because they're subcontractors," said Sotto. "They could be the subcontractor of a subcontractor to the business associate of a covered entity." IT organizations will have to let all their subcontractors know they're directly responsible for HIPAA compliance, she said. "This is an enormous administrative burden that's about to happen," Sotto warned.

Clinical, patient engagement, and consumer apps promise to re-energize healthcare. Also in the new, all-digital Mobile Power issue of InformationWeek Healthcare: Comparative effectiveness research taps the IT toolbox to compare treatments to determine which ones are most effective. (Free registration required.)

Comment  | 
Print  | 
More Insights
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Healthcare data is nothing new, but yet, why do healthcare improvements from quantifiable data seem almost rare today? Healthcare administrators have a wealth of data accessible to them but aren't sure how much of that data is usable or even correct.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.