'Aggressive Enforcement' on Privacy
Today marks the day for organizations to comply with expanded federal guidelines for protecting private health information, and it's not just organizations in healthcare-related fields that need to pay attention to the new rules, experts say.
By Kecia Bal
Key changes to two healthcare-privacy measures now broaden governmental reach, which may lead to stricter enforcement of private health information, legal experts say.
The changes - affecting both the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act -- take effect today, Sept. 23.
"There is no question that there will be aggressive enforcement, at first within the healthcare community and then it will start moving downstream," says Mike Stovsky, chair of innovations, IT and intellectual property at international business law firm Benesch in Cleveland.
"The most surprising thing is that there are a host of companies that you would not normally think of that now need to comply," he says. "The compliance obligations for companies that didn't used to have such severe obligations has increased dramatically."
The new "mega-rule" HIPAA regulations -- the largest set of modifications to the federal law's security and privacy measures to date -- include an update to the 2009 HITECH Act and new requirements meant to bolster patient-privacy protection and rights to health information. They also increase enforceability with heftier fines and extend coverage to "business associates," which will in turn be directly subject to auditing and potential sanctions.
Business associates, Stovsky says, includes any company that may perform services or provide products for covered entities.
"Those third-party organizations -- from a software developer to the janitorial service that comes in at night -- anyone who has access to protected health information is a business associate," he says. "Those companies now have to comply in full to HIPAA.
Stovsky says the new guidelines could quickly ensnare almost any organization.
"Let's say I'm a big manufacturing company that hires a cloud vendor," he says. "[Then] that vendor leases a building from somebody. Then the real-estate company has to be compliant [with these new guidelines]. If any one of them is not compliant, then the manufacturer is not compliant, and they're in trouble."
Companies with self-funded health plans also now will be subject to HIPAA, unless there are fewer than 50 participants, according to the new guidelines.
"If you handle protected health information for your employees," he says, "you [still] have to be compliant. The difference now is that the rules are stricter, and the security obligations are significantly more in-depth than they were in the past."
Though the updates have been anticipated since 2009, even companies accustomed to being in HIPAA compliance can be vulnerable to simple, but costly, mistakes.
Affinity Health Plan, a New York-based managed-care company, recently settled for $1.2 million in fines in response to claims that company forgot to clear a hard drive attached to a copy machine. The hard drive contained individuals' health records. Other recent examples, such as the Virginia Department of Human Resource Management's leak of personal information, including Social Security numbers, of 13,000 Virginia state employees, highlight how subcontractors can make managing protected information a complex task.
Under the new rule, penalties for noncompliance now increase, depending on the level of negligence, to a $1.5-million-per-violation cap.
Bruce Lamb, a shareholder and lead of the healthcare practice group at Gunster law firm in Tampa, Fla., says the increased potential costs -- along with increased potential for liability through third parties -- mean HR leaders need to immediately and essentially re-examine every party with whom they conduct business.
"Many companies that are business associates of entities will now be directly liable," he says. "The business associates have to do a risk assessment. They have to create compliance policies, train the individuals involved in handling protected health information, amend business associate agreements, if they have any, and have a reporting mechanism in place if there is a breach."
Even employers who do not have self-funded health plans now may fall under HIPAA coverage, he says.
Some employers that are not even self-administered or self-insured could still be considered a covered entity if they're providing other services considered covered under HIPAA, he says. That includes employee-assistance programs, medical-reimbursement accounts and employers with on-site clinics.
"I think there is a lot of noncompliance right now," Lamb says. "Basically, if the employer handles protected health information, then HIPAA is applicable, and they need plans, training and all those types of things. What we're advising [HR leaders] is to have an analysis performed to determine whether [their organizations] fit the requirements."
The changes provide an opportunity to tighten security around protected information and carefully examine how many employees have access to that information, says Alison L. Schaap, senior vice president at Aon Hewitt in Chicago. Many of the consulting firm's clients already are aware of new compliance guidelines, she says.
"I think that it's really about educating the workforce and conducting refresher training, because many organizations have really good measures and controls," she says. "It's telling employees, 'Again, here is what we have in place. We need you to follow it and here is when you should report an incident.' "
Schaap advises HR leaders to focus on clear communication channels for how incidents will be reported, so workers know where to go if they suspect something amiss.
As part of that communications effort, she says, HR should be asking whether everyone with access to such private information actually needs it.
"If they don't, shut down those channels," she says. "Look at roles and level of access, and reconfirm the safeguards you have in place."
Stovsky says he anticipates a trickle-down enforcement that eventually will sting noncompliant companies outside of the healthcare arena, likely through situations that involve disgruntled former employees.
"I think that whistleblowing is probably one of the biggest sources of concern," he says. "If [former employees] know there's an obligation, you can see them turning in their [former] employers. The only way to stop it is to come into compliance. I think it will be very similar to the software-licensing-information compliance issues a few years ago.
"Healthcare industries are already in compliance," he says. "They've known about it, but there are some pretty big companies with self-funded health plans where their in-house counsel is just learning about this."