New HIPAA Regulation Puts Pressure on Health Care Providers and Payors to Better Protect Health Information

In mid-January, the U.S. Department of Health and Human Services (HHS) issued wide-ranging changes to the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. These changes will go into effect March 26 and organizations will have six months (until September 23) to implement the new requirements.

According to HHS, the purpose of the new rules is to strengthen the HIPAA privacy and security protections for an individual’s health information stored in electronic health records and other formats.

Among the more significant changes to HIPAA, business associates will now be directly liable for HIPAA violations. Business associates include organizations that “create, receive, maintain, or transmit” protected health information (PHI) on behalf of health care provider and payors. This includes cloud, managed hosting and colocation service providers that store sensitive patient information for health care providers.

In addition, the new rules move HIPAA enforcement away from voluntary compliance and toward a penalty-based system. The rules potentially increase fines up to a maximum penalty of $1.5 million for each provision violated, depending on the circumstances.

“The magnitude of these changes -- especially business associate compliance -- is enormous,” said Dr. Peter Tippett, chief medical officer and vice president of the Verizon Innovation Incubator. “HHS estimates between 200,000 and 400,000 business associates will need to establish compliance with the security rule. Otherwise, these organizations may be subject to significant penalties under the new ruling.”

As part of the final rule, new safeguards will also fuel patient rights and make it easier for individuals to access and manage their electronic medical information. Key changes affecting a patient’s ability to control their personal information include:

• Patients can now ask for a copy of their electronic medical record (EMR) in an electronic form.
• When individuals pay by cash, they can instruct their provider not to share information about their treatment with their health plan.
• Streamlining an individual’s ability to authorize the use of their health information for research purposes
• Making it easier for parents and others to give permission to share proof a child’s immunization with a school.

“These changes cannot be underestimated,” added Tippett. “Managing HIPAA is hard enough today as organizations scramble to modernize their offices as they move from paper-based recordkeeping systems to electronic ones. This just adds another level of complexity.”

“The good news is that Verizon is one of the very few providers that stand behind its cloud services by offering its customers the protections afforded by a business associate agreement.” said Tippett. “Because of this, Verizon is in a unique position to help health care organizations as they move toward compliance with the new HIPAA rules.