The Omnibus Final Rule under HIPAA/HITECH is here to stay — the compliance date was in September 2013 — and it requires that health care providers and payors and their business associates update their health data privacy and security policies and procedures.
Some of the key changes to the rules center on Business Associates. The rules have broadened the definition of Business Associate and have added compliance responsibilities as well.
Enforcement efforts at the federal and state levels are ramping up, and significant fines may be imposed on covered entities, business associates and subcontractors that are out of compliance. Complaint investigations and random audits, performed by federal and state investigators, as well as outside contractors, will identify businesses at risk — and self-reporting rules will identify others when they must disclose their data breaches on The Wall of Shame.
Businesses who deal with health care providers and payors and their patient information — even shredding contractors and copy machine leasing and maintenance companies — are now subject to HIPAA/HITECH rules.
Covered Entities will need a review of their policies and procedures as well, to ensure that they are properly managing internal processes and those of their Business Associates.
State data privacy laws continue to interact with HIPAA/HITECH rules in ways that Covered Entities and Business Associates need to understand.