Changes to HIPAA were recently enacted under The Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act that was signed into law last month by President Obama.
Inside HIPAA 2.0
Before looking at the changes to HIPAA, it's important to understand the three general groups of organizations under the act: covered entities, business associates and everyone else. Covered entities include health care organizations or health insurance companies. Business associates are organizations that support covered entities and handle protected health information (PHI), such as online backup providers and billing agencies, and then there is everyone else.
HIPAA requires that covered entities meet specific requirements before they are certified compliant; if they do not, they are subject to fines. As a result of HITECH, civil penalties for HIPAA violations have increased significantly. Additionally, deliberate disclosure of PHI for non-legitimate reasons can result in criminal prosecution. HITECH specifically allows state attorneys general to file civil suits as well as criminal charges, though for many states this was already the fact due to CA 1386 and other state data breach-notification laws.
HIPAA also now requires covered entities disclose if and when they have a security breach and client data is exposed. All individuals affected by the breach must be notified, and if more then 500 users' data has been compromised, the organization must notify the Secretary of the Department of Health and Human Services (HHS) who must then publicly post the breach on the HHS website.
HIPAA and solution providers
For solution providers, these changes translate to more billable consulting hours at covered entities. Covered entities must either implement additional controls and/or verify that their existing controls are sufficient. New security and privacy controls will also be needed, including adding firewalls, access control systems and encryption. Covered entities don't typically have the expertise in the areas solutions providers do, so that means ample opportunities to expand existing customer relationships.
Business associates must implement a host of new controls once the Secretary of Health and Human Services (HHS) publishes guidelines providing more clarity regarding what exactly business associates need to do, and that's supposed to happen very soon. While the most forward-thinking companies will already have strong security programs in place, at a bare minimum they will be running audits to verify their programs are running as effectively as they think they are. Companies that aren't as prepared will have a busy few months ahead of them as they bring themselves into compliance with the new requirements. Again, solution providers are positioned well to step in and quickly help business associates evaluate the programs they have and implement what they may be lacking.
Given the number of changes, I highly recommend reading the HIPAA law. At a high level, to the following represents what security-focused solution providers must know and communicate to customers:
- Civil penalties for non-compliance have gone up for covered entities (i.e. health providers and insurance companies) and malicious violations can now mean jail time.
- Business associates will have additional compliance requirements (to be announced by HHS by April 17th) that will range beyond simply needing contractual terms for privacy and security.
- Covered entities and business associates now must notify customers in the event that their PHI is breached; information on breaches involving 500 or more individuals' must be reported to the Secretary of Health and Human Services.
So how can solution providers respond right now? First, start educating customers about the new legislation. Also monitor the HHS website and keep an eye out for the forthcoming new requirements. Similarly, update the incident response processes recommended to customers to include the new notification requirements.
In general, I don't expect the scope of compliance service offerings to change significantly, since the actual controls requirements for covered entities haven't changed. However, the potential customer list for these services just expanded by about an order of magnitude or so since business associates will now have to follow a large subset of the same controls, proving yet again that while compliance does not equal security, it sure can drive it.About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in March 2009