Auditors: Prepare for the "Year of Healthcare Privacy"

Thursday, March 03, 2011

Rebecca Herold


This looks to be the year that healthcare privacy takes center stage. Why? Let’s take a quick look at the past few years to set the scene.

Until US President Barack Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA) into law on February 17, 2009, only covered entities (CEs) were required to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule.

However, ARRA made business associates (BAs) directly responsible for compliance with the Security Rule in its entirety and the disclosure provisions of the Privacy Rule, pursuant to the new Health Information Technology for Economic and Clinical Health (HITECH) Act found within ARRA.

BAs are organizations that provide a service for or on behalf of a healthcare provider or payer, and that service involves access to protected health information (PHI). Considering that most CEs have multiple BAs (I’ve done work for some with more than 2,000 BAs), there are literally millions more BAs than there are CEs.

BAs scrambled to figure out what to do because, to date, most had not worried about knowing more about HIPAA beyond getting a BA Agreement in place. The HITECH Act includes a statutory obligation for BAs to comply with HIPAA, and BAs now face noncompliance enforcement actions from the US Department of Health and Human Services (HHS), in addition to also possibly receiving civil and criminal penalties for noncompliance and for PHI breaches occurring from compliance failures.

The HITECH Act also increases the penalties for violations of HIPAA. The HITECH Act authorizes state attorneys general to bring civil action in federal district court against individuals who violate HIPAA. Multiple states have indeed taken actions over the past year.

Spring forward to 14 July 2010, when the US Office for Civil Rights (OCR) of the HHS issued a Notice of Proposed Rule Making (NPRM) containing modifications to the Privacy Rule, Security Rule and Enforcement Rule under HIPAA, in addition to HITECH.

Most of the lawyers and regulatory analysts I’ve spoken with have indicated that they anticipate most, if not all, of the proposed changes will be enacted into the Final Rule as law by the end of March 2011. Many changes will result, and eight areas will be significantly impacted:

1. BAs and subcontractors will now be legally required to comply with ALL HIPAA and HITECH requirements.

2. More information will need to be provided to individuals regarding how their information could be used for marketing, and additional consents will be required.

3. There will be more restrictions and requirements for CEs and BAs to receive remuneration for certain types of PHI disclosures or uses.

4. There will be more requirements related to using PHI for research.

5. There will be additional requirements related to the "minimum necessary" collections and uses of PHI.

6. There will be stricter requirements for contacting individuals for fundraisers.

7. There will be more types of information to include within the Notice of Privacy Practices.

8. There will be significantly higher sanctions and fines applied whenever noncompliance is discovered, based upon levels of "willful neglect."

What’s happening right now? Healthcare providers that qualify are clamoring to get their US $44,000 in "meaningful use" stimulus funds to convert to electronic health records (EHRs). As part of the requirements for the funds, providers must perform an information security risk assessment and then remediate any problems discovered.

Plus, providers and their BAs are going to be held to stricter compliance regulations due to the previously described changes in HIPAA and the HITECH Act. This will ultimately be good for consumers, but the transition to EHRs, even with these additional privacy protection requirements in place, will result in more patient information breaches if providers do not implement safeguards in a comprehensive manner, and ensure their business associates do the same.

All these issues may very well contribute to the perfect HIPAA/HITECH compliance enforcement storm of 2011. Auditors in the healthcare industry need to make sure that their organization is in compliance with HIPAA and HITECH requirements, and so will auditors within organizations that are business associates of covered entities. If you want to learn more about where your organization stands, check out and

NOTE: I originally wrote this in January.  Since that time, in just the past week or two, the HHS has published statements that they will not be releasing the Final Rule of the NPRM by the end of March, at least not a complete rule addressing all the NPRM issues. 

However, they did indicate they will be releasing other HIPAA/HITECH guidance by the end of March.  And, last week, they applied two significant sanctions ($4.3 million against Cignet and $1 million against Massachusetts General), sending a clear sign that enforcement activities are going to increase and become more severe. 


Adjunct Professor, Norwich University, USA

Consultant, Rebecca Herold & Associates


Cross-posted from ISACA

Possibly Related Articles:
HIPAA Compliance HITECH Healthcare HHS Covered Entities Business Associate
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.