Thanks to two big regulatory changes—Meaningful Use and the HIPAA Omnibus Rule—security issues should now occupy a top spot on any senior executive’s priority list.
In an interview, Brian Lin, partner and security expert, explains why security issues are in the spotlight now and details recent changes to the HIPAA Omnibus Rule—and why they matter to all organizations.
Q: Why is security such an important priority on which senior management and boards need to focus now given all of the other major issues vying for their attention?
A: Security’s priority has risen primarily due to Meaningful Use and the recent Omnibus Rule.
Security is linked to Meaningful Use because of Core Measure 15, which requires health care organizations to conduct a security risk assessment on a yearly basis—a task that many health care providers have not endeavored to complete annually, but has been a requirement of HIPAA since 2005.
But Meaningful Use turns this lack of compliance into a much more serious issue. By attesting to Meaningful Use, a health care organization is submitting a claim for payment from the government. As such, any misrepresentations, material omissions, false claims, statements or documents are subject to prosecution under federal or state criminal laws and, potentially, civil penalties. Plus, Meaningful Use shines yet another light on compliance with security risk assessments—senior management should seek to verify their organization’s compliance with this very broad core measure requirement or risk losing previous and future ARRA reimbursements as well as potentially incurring false claim penalties.
Now, on to Omnibus Rule. While senior management should always be concerned about compliance with any federal regulation, the HIPAA Omnibus Rule should be their highest priority due to the substantial monetary and potential criminal penalties involved with non-compliance. In the HITECH Act, Congress clearly communicated that enforcement of the Security Rule needed to shift to a focus on penalties for breaches and other violations. These monetary penalties can be substantial—just one lost laptop could cost over $1 million in civil monetary penalties.
Q: The HIPAA Omnibus Rule now makes business associates directly accountable under the federal regulation. Doesn’t this simplify the entire business associate agreement process and, ultimately, accountability for violations?
A: Unfortunately, it does not. It is true that business associates can now be held directly accountable under the new regulations; however, the Omnibus Rule now makes health care organizations more directly liable for the acts of their business associates—when they are acting as agents. Previously, this type of liability could be limited with an appropriate business associate agreement. But the challenge for health care organizations now is determining the appropriate level of supervision for their business associates. Providing too much supervision could potentially result in organizations taking on more liability than they desire. Achieving this delicate balance requires appropriate due diligence.
Our clients are in the midst of examining their business associate contracts—trying to appropriately resolve and account for these questions of agency. This is a time-consuming effort that requires multidisciplinary involvement from many parts of the organization, often including the legal department (internal and often external), management resources most familiar with the actual services being provided, and privacy and security officers.
Q: The Omnibus Rule significantly changes the approach to breach notifications—what are the major implications of that for health care organizations?
A: Previously, health care organizations had to report a breach when it was determined that it “posed a significant risk of financial, reputational or other harm” to the patient. But now, this subjective question of “harm” has been replaced with the more objective question of whether information has or has not been compromised. Specifically, the Omnibus Rule amends the definition of breach to include any unauthorized use or disclosure of unencrypted protected health information (PHI), unless the organization can prove “a low probability that the information has been compromised based on a risk assessment.” Four factors must be considered in a risk assessment:
- Nature and extent of the PHI involved
- Unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- Extent to which the risk to the PHI has been mitigated
These represent the bare minimum—additional factors may need to be considered as necessary.
Kurt Salmon is assisting many clients with these types of questions. We welcome your inquiries; please contact Brian Lin using the Contact Us link on this page.