The Health Insurance Portability and Accountability Act (HIPAA), with its goal of protecting individual's privacy and security, has taken a hold of the healthcare industry -- not in the least due to fines up to $1.5 million as well as the possibility of a prison term. Earlier this year, on Jan 25, 2013, the US Department of Health and Human Services (HHS) released the latest directive on HIPAA, namely the Final Rule / Omnibus Package. Many blogs and articles have been authored to summarize this latest development, yet, in talking to practitioners and industry experts, confusion and lack of clarity still reigns supreme. Most providers don't realize that risk assessment is paramount (indeed, per the latest modification to the breach notification rule, you need to "prove" your innocence!); those that do struggle with how to go about doing it.
Starting with this blog entry, we will provide a few different perspectives and scenarios, with the goal of clarifying HIPAA for those that play specific roles within the healthcare system. Subsequently, we aim to build on this to provide other additional "views", based on audience feedback and queries. Before embarking on this journey, we must remind everyone reading that we are not lawyers, and nothing below should be (mis)taken for legal advice. We are merely technologists who have a long history of reading and interpreting law, coupled with the privilege of interacting quite frequently with lawyers.
Although the Omnibus Final Rule was published earlier, it went into effect on March 26th, and Covered Entities and Business Associates have until September 23th to comply with it. In short, the clock is ticking, and you have around six months to get your house in order.
The Omnibus Final Rule is comprised of 4 rules, which have been summarized at the very end . Below, we consider a variety of perspectives around this legislation.
1. Cost. The government anticipates the impact of this rule to be over $100 million, with up to $200+ million in the first year, and roughly a tenth of that on an annual basis - their claim being that there will be zero implementation cost after the first year!
It is widely expected that the annual costs will be significantly higher, due to the need for technological improvements and enhancements on an ongoing basis, as well as the continual need to have appropriate agreements in place across a variety of stakeholders. Healthcare is a rich goldmine from a Big Data point of view due to the large and variegated nature of data in the healthcare system - but it runs the risk of turning into a minefield if providers are not careful and cognizant of costs associated with ensuring HIPAA compliance with that data.
2. Business Associate (BA). A BA is loosely defined as an entity that "creates, receives, maintains or transmits" protected health information (PHI). That begs the question - what of a courier service, USPS, or even an ISP "transmitting" PHI? Well, there is a "conduit" exception, albeit a narrow one intended only to protect such courier services. Indeed, even if a telecommunications company (ISP) needs occasional random access to PHI, it is not deemed a Business Associate, and thus doesn't have to be burdened with HIPAA.
However, an entity that "maintains" PHI on behalf of a Covered Entity is considered a BA, even if it does not actually view the protected information. The question is: Which one are you?
3. Subcontractor. Imagine you are a subcontractor working for a Business Associate, but not part of a direct contract with a Covered Entity. Are you liable? In what way?
Turns out, if, as part of your duties as subcontractor, you create, maintain, transmit or receive PHI on behalf of the BA, then you yourself will be treated as a BA per HIPAA and subject to the HIPAA Breach Notification Rule (but, notably, not the FTC Rule). Here's the kicker - a subcontractor doesn't even need to be in a formal "contract" with a BA to be subject to HIPAA!
4. Financial Institution (FI). What if you are a financial entity engaged in business with a Covered Entity - does that make you a Business Associate? As long as your activities for the CE are only comprised of authorizing, processing, clearing, settling, billing, transferring, collecting or reconciling payments for healthcare or health plan premiums, you are exempt under HIPAA Section 1179.
However, FIs may be considered BAs if they perform activities such as accounts receivables on behalf of healthcare providers.
5. Researcher. Imagine you are an external researcher hired by a Covered Entity. Should you be considered a Business Associate? The answer is - it depends. A researcher is not a BA even if they have been hired by a covered entity. Researchers are to be considered a BA if and only if they have been hired to conduct a function or activity regulated by HIPAA, and in doing so they have access to PHI data.
The five points discussed above are but a mere sampling of the different ways that HIPAA affects entities engaged in or associated with healthcare. In the next post, we will discuss ramifications of HIPAA in-depth for additional scenarios and entities in the healthcare system. Do not hesitate to reach out for a perspective you are interested in or if you have a HIPAA story to share!
- An earlier version of this blog post is available at HIPAAntrepeneurs
 The HHS summarized the Omnibus as follows:
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications:
3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009."