HIT administrators have been posed with yet another challenge as federal data breach notification rules for entities covered by HIPAA kicked off last week. These new rules provide greater security against personal health information getting loose, and up the ante considerably in extending coverage to “business associates” of HIPAA-covered entities.
The term ‘business associates’ covers a wide range and include HIE partners, third-party administrators, claims processors, attorneys, accountants and software providers among many others.
Under the rules, HIPAA-covered entities such as hospitals, doctors and health plans have to inform victims of unauthorized releases of their private data that their PHI has been compromised. The new rules also allow for criminal and civil penalties.
This means that everyone involved with healthcare industry need to reassess their technical and administrative strategies, even if they have had good security policies in place for long. HIT administrators need to take a tough look at how they work with partners and subject any vendors hosting HIT applications to a rigorous security check-up.
There are some flaws and drawbacks in the rule, however. Suppose if the breached data is encrypted, making it unreadable, unusable or indecipherable, covered entities don’t need to notify anyone. Again, providers can skip the notification process if the breach doesn’t pose a major risk of financial or other harm to an individual–and lets the provider decide whether the possible harm meets the disclosure standard.