Latest HIPAA Compliance Rules and Their Implications for SIEM

Alterations to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules are set to go into full effect on September 23, 2013 and it has been made abundantly clear that ignorance will not be an acceptable excuse for noncompliance. The original HIPAA rules were amended back in January 2013 by the U.S. Department of Health and Human Services, which announced the introduction of the "Omnibus Rule" to the act. The new compliance rules will apply to health care providers, other health entities, and their business associates.

The rule changes are meant to increase the security and privacy of sensitive patient health information (PHI), streamline the execution of research involving human subjects, and address loopholes and ambiguities in the act, among other goals. Although several news and health organizations have thrown around the term "sweeping reform" when discussing the Omnibus Rule, in reality the alterations are somewhat less dramatic than that. However, they do require careful consideration and thorough understanding by all affected parties.

What the New Rules Entail

If you've got an outstanding attention span and a whole day to waste then maybe you won't mind thumbing through the intimidating and slightly convoluted 500 pages of the Health and Human Services Omnibus Rule. If not, these are the most important rule changes to be aware of:

  • HIPAABusiness associates will have direct liability for HIPAA compliance.
  • The sale of patient health information will be strictly prohibited without authorization from the individual.
  • The use of patient health information for purposes of marketing or fundraising will be very limited.
  • Patient access to their electronic health records will be streamlined.
  • Specific modifications will be required for notices of privacy practices by covered entities.
  • Modifications will apply to information disclosure to research organizations and schools.
  • The family of decedents will be able to access patient health information.
  • Additional HITECH Act rules will be adopted which include penalties for noncompliance by willful neglect.
  • A tiered civil money structure will dictate the monetary penalties incurred for noncompliance.
  • A more objective standard will be used in place of the previously used and ambiguous "harm threshold."
  • The disclosure of genetic information by health plans will be largely prohibited.

This is only a very brief overview of some of the most significant changes to the HIPAA rules which health organizations and business associates must be compliant with by September 23. The full text distributed by the Department of Health and Human Services goes into detail about each rule change and provides a number of hypothetical situations to clarify how these rules will function in a real world environment.

Consequences of Noncompliance

There are serious financial consequences for noncompliance with the new rules not to mention potential damage to a company or entity's reputation. The Omnibus Rule outlines four levels of violations, with each level - A, B, C(i), and C(ii) - reflecting slightly higher culpability on the part of the offending party and incurring heavier fines. Monetary penalty values per single violation range from $100 for circumstances where the violator was not aware to $50,000 for instances of willful neglect that were not amended.

Preventing Noncompliance

The most effective method for preventing HIPAA noncompliance and the heavy financial toll that comes with it is to maintain a holistic view of all data and patient related information. Auditing and data management software is especially helpful in this regard in that it can monitor and control access to sensitive files, thus keeping an organization in line with HIPAA compliance requirements. A relatively small investment in this type of software can potentially save you hundreds or thousands in noncompliance penalties. Remember, you only have until September 23 to make sure your organization complies with the new HIPAA rules - the clock is ticking.

Written by Steve Garms at Visual Click Software, a company whose vision is to provide software solutions that enable customers to reduce the time, complexity and costs of managing their network security.

If you have any questions, please ask below!