The proposed rule that modifies the HIPAA privacy, security, and enforcement rules has been published in the Federal Register for about a week.
And while it may not be time to flip your HIPAA compliance program upside down—it is, after all, a proposed rule that could go final anytime after the last comment is sealed by HHS Sept. 13—you should take note of several items from the rule.
The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will be co-hosting the HCPro, Inc. audio conference, "HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations," Tuesday, August 31:
- HIPAA and HITECH applies to business associates (BAs). “Including clear indication that HIPAA and HITECH applies to BAs is a great idea,” Herold says. “I've spoken to many BAs who still believe that they only have to have the BA agreement in place, and I've had multiple covered entities (CEs) point out that the HHS has never explicitly stated that they needed to do more than provide a BA agreement for their BAs. If accepted and implemented as worded, the changes in the [proposed rule] make it much more clear that the CEs' responsibilities must go beyond just having a BA agreement.”
- New definition of “standard.” Herold calls replacing “individually identifiable health information” with “protected health information” in the definition of “standard” a strong idea. “This has always been a point of confusion for many/most CEs, and then last year for BAs.”
- Subcontractors now BAs. Many subcontracted entities handle PHI, and it makes sense to make them BAs by definition and liable for breaches. “Including subcontractors is a very good thing,” Herold says. “They provide many of the breaches.” It’s also a good thing to see the following entities included under HITECH, such as:
- Patient Safety Organizations (PSOs)
- Health Information Organizations (HIO)
- E-Prescribing Gateways
- Other persons that facilitate data transmission, as well as vendors of personal health records
- Updated definition of "Electronic Media." The original definition became outdated quickly, Herold says. “The new one does allow for ongoing technological innovation and changes to be covered,” Herold says. “Pointing to a NIST definition is a good way to have it more consistent with other laws and regulations that also use this definition.”