Institutions that collect PHI information for research have less than 2 months to make sure that their systems and procedures are in compliance with the Final Rule issued on January 25, 2013. The deadline established for full compliance is September 23, 2013.
While most of the public discussion around HIPPA/HITECH has focused on insurance providers and primary health care facilities, the changes affect virtually any organization that is involved in the health care industry.
Of specific importance:
- changes to the definition of who is directly subject to HIPPA privacy and security rules, including Business Associates and their Subcontractors
- the need to amend agreements between Covered Entities and Business Associates to take into account this expansion of responsibility, as well as new agreements between Business Associates and their Subcontractors for the same purpose.
- a clarification of reporting requirements when an information breach occurs
- an increase in penalties for non-compliance, up to $1.5 Million per violation
On the positive side, the Final Rule also reduces at least one burden, by streamlining the ability for individuals to authorize the use of their health information for research purposes.
Just weeks ago, the U.S. Department of Health and Human Services reached a settlement with an insurance provider over failure to take proper precautions while upgrading their system.
While the size of the settlement reflects the size of the exposure, which is naturally large for a major insurance provider, the press release has several points that any organization should remember, and research institutions should remember as they implement systems:
- adequately implement policies and procedures for authorizing access to the on-line application database
- perform an appropriate technical evaluation in response to a software upgrade to information systems
- have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in the application database
Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.
Beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.