Changes coming to the HIPAA Privacy and Security Rule mean added administrative work, and they could mean additional reporting, said Lisa Sotto, head of Hunton & Williams' global privacy and data security practice in an interview with InformationWeek Healthcare.

The Department of Health and Human Services recently announced what Office of Civil Rights (OCR) director Leon Rodriguez called "sweeping changes" to HIPAA that will strengthen the OCR's ability to enforce HIPAA.

The changes, also known as the final omnibus rule, are broken down into four parts, HHS explained in a PDF document. Among the four parts are modifications to the HIPAA security rule first proposed in July 2010; changes to HIPAA enforcement to incorporate the tiered civil monetary penalty structure provided by the HITECH Act; a final rule on breach notification for unsecured protected health information under the HITECH Act; and a final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit health plans from using or disclosing genetic information for underwriting purposes.

[ For the latest developments on Meaningful Use, see Meaningful Use Stage 2 Rules Finalized. ]

The final rule focusing on breach notifications creates a "significant shift" in the new issuance from a harm-based standard to a focus on the probability that data is compromised in any data leak, Sotto said. The interim final rule had used a harm threshold that meant companies had to notify patients of a data loss if there was a significant risk of patient harm. That threshold has been replaced by a presumption that data privacy is compromised when data is exposed, unless the organization can demonstrate there was a low probability that personal health information had been compromised based on a set of factors.

"The focus on harm to the individual and any injury the individual may suffer has been eclipsed by the question of whether the PHI has been compromised," she said. OCR considers this a more objective standard, but "I like the idea of the assessment focusing on the individual, rather than thinking about a breach in a vacuum without strong reference to the individual," Sotto said.

The new rules also could force organizations to know how data is handled by business partners. A "business associate" amendment was part of HITECH when it was first enacted in 2009. What's changed as part of the first rule, said Sotto, is that HHS has imposed an obligation "all the way downstream" to every subcontractor that has access to PHI. This results in "some very long chains of custody for data," she said.

"There's a huge bureaucratic burden that's about to hit because every business associate agreement in place needs to be amended, and a huge wave of businesses in the U.S. will be hit with business associate-like agreements because they're subcontractors," said Sotto. "They could be the subcontractor of a subcontractor to the business associate of a covered entity." IT organizations will have to let all their subcontractors know they're directly responsible for HIPAA compliance, she said. "This is an enormous administrative burden that's about to happen," Sotto warned.

Clinical, patient engagement, and consumer apps promise to re-energize healthcare. Also in the new, all-digital Mobile Power issue of InformationWeek Healthcare: Comparative effectiveness research taps the IT toolbox to compare treatments to determine which ones are most effective. (Free registration required.)

Federal agencies must eliminate 800 data centers over the next five years. Find how they plan to do it in the new all-digital issue of InformationWeek Government. Download it now (registration required).