Experts urge entities to gear up for new privacy and security rules

With new Omnibus federal privacy and security rules effective March 26 with an upcoming compliance date of Sept. 23, two privacy experts urged covered entities to build an action plan and design an implementation timeline to ensure they are prepared.

“It adds a great deal of complexity to privacy management,’ said Michael Ebert, partner at KPMG, during the March 25 KPMG Healthcare & Life Sciences Institute Webcast.

The new rules, which amend HIPAA pursuant to the American Recovery and Reinvestment Act of 2009, govern privacy and security, and include enhanced legal liability to business associates (BAs) of healthcare providers and greater patient control over disclosure of their records.

Ebert and Jutta Williams, director of corporate compliance in the privacy office at Intermountain Healthcare, advised covered entities to take the following actions:

• Map and flow protected health information (PHI) movement within the organization, as well as flows to and from all third parties
• Perform data discovery to locate all PHI
• Establish effective technical safeguards over PHI, including encryption, access management and restrictions for required use only
• Develop a third party risk management program
• Review vendor contracts and update BA agreements

Of particular importance in the security and privacy Omnibus bill are new breach notification rules that will “dynamically impact the industry,” Ebert said. Unlike before when reporting was required only for breaches with significant risks of reputations, financial and other harm, the new rule requires reporting of all disclosures unless it can demonstrate a low risk of harm using a risk analysis, he said.  

“This is a much lower threshold,” Ebert said. “It’s a tough element to prove.”

What constitutes a BA and its responsibility to protect and secure patient information also is elevated in the new rules. Ebert said all BAs should implement a privacy and security program, like covered entities have done in the past with HIPAA.

More activity around de-identification and partial de-identification of PHI also is forthcoming. “That’s a big change to look for from both the covered entity and business associate side,” Ebert said.

Williams noted that an entity must be careful when de-identifying information, as under the rules a BA can’t have an ability to put the information back together to avoid potential that they are using it for commercial benefit.

Other new requirements of the omnibus include:

• Renewed emphasis on training programs
• Understanding and applying all of the new opt-out and rights to restrict use of PHI provisions for fund raising, marketing, research and disclosure of PHI to Health Plans
• Request for medical records by an individual in any form they choose
• Presumption by OCR that your existing systems and processes can support the above as well as other requirements for permitted uses and disclosures
• Multi-opt ins/outs will require a different presentation of your Notice of Privacy Practices, including greater effort to communicate individual rights to a patient

Enforcement of the rules by the Department of Health and Human Services Office of Civil Rights is not expected to be lax. Ebert noted that the new director of the OCR, Leon Rodriguez, formerly served in the Department of Justice’s Civil Rights Division.

“He has a strong enforcement record,” Ebert said, citing an uptick in complaints over the past 10 years. He said since 2003, there have been 27,500 breaches under investigation and 18,600 corrective actions taken. Also, civil monetary penalties and resolution agreements have amounted to $14.9 million since 2008.

As part of his presentation, Ebert shared a preliminary analysis of HIPAA audits that show much work needs to be done to get covered entities up to speed on privacy and security. For example, he said 39 percent of entities audited said they were unaware of HIPAA privacy requirements and 27 percent said they were unaware of security requirements.

Williams stressed that after Sept. 23, “ignorance is not a defense of the law.” She said covered entities must identify risks in gap areas and document plans to address them.

“If you have identified your risks in gap areas, you are more defensible than if you haven’t documented anything,” she said, noting that the agency’s Office of Inspector General will conduct onsite audits as part of evaluating whether an entity has earned incentives as part of Meaningful Use. “It’s important for OIG and OCR,” she said.

To that end, Williams urged those charged with privacy in covered entities to drive home the importance of sturdy privacy and security practices to leadership to avoid penalties down the line.