Smaller health care providers, as well as many of the firms that work with all health care providers, are struggling to comply with federal data security rules that take effect soon.
But even larger health care providers would do well to examine their contracts with the firms with which they deal, to be sure their contracts include proper indemnification and other safeguards, experts say.
In January, the Department of Health and Human Service's Office of Civil Rights issued its final rule modifying the Health Insurance Portability and Accountability Act's privacy, security, enforcement and breach notification rules under the Health Information Technology for Economic and Clinical Health Act, which is often referred to as the HIPAA omnibus final rule.
The final rule becomes effective March 26, and final compliance is required by Sept. 23.
The new rule reflects two major changes with respect to firms' cyber activities: It significantly broadens the definition of health care providers' business associates, bringing many more downstream subcontractors and others under HIPAA's authority. These can include data transmission services, document and data storage organizations, personal health record vendors and financial institutions that lend to the health care industry.
It also changes the criteria to be used in deciding whether a breach requires notification, placing a greater onus on the health care provider to establish why notification should not be made.
“We see our clients making every due diligence to be HIPAA-compliant,” said Robert Parisi, network security and privacy practice leader for Marsh Inc. in New York.
Observers say many large health care providers are prepared.
Cris Ewell, chief information officer at Seattle Children's Hospital, said, “We're a mature organization, and we have a very robust security and privacy program here at Children's, so I think we're going to be able to handle the requirements.”
He has worked with Portland, Ore.-based ID Experts, a data breach prevention and response firm
“The largest and most sophisticated health care organizations will be able to embrace the changes and ... update their mechanisms to operate within the rules,” said ID Expert Chief Marketing Officer Doug Pollack. “I think the hard thing is when you get into the much smaller organizations,” such as rural hospital systems and clinics, which will have a “hard time keeping on top of all this regulatory structure.”
Meanwhile, many health care providers' business associates now covered by the rule were unprepared, which could potentially lead to millions in penalties, say observers.
The business associates rule is a “rude awakening for them because there are real penalties involved here,” said Cynthia Larose, a member of law firm Mintz, Levin, Cohn, Ferris, Glovsky & Popeo P.C. in Boston. Violations can total up to $1.5 million annually for identical violations of the same provision.
There are medium to small vendors, as well as “fringe” vendors such as collection agencies, who may not be ready, said Tom Srail, Cleveland-based senior vice president of FINEX North America at Willis North America Inc.
Many vendors said, “Let's just wait and see what the actual regs come out with,” because sometimes regulations “fine-tune things” that were more broadly written in the law, said Steven J. Fox, a principal with law firm Post & Schell P.C. in Washington.
Drew Gantt, a partner with law firm Cooley L.L.P. in Washington, said many companies “just don't want to be subject to HIPAA” and will have to decide whether to continue in these business relationships with health care providers.
The analyses firms must undergo to determine whether there has been a breach requiring notification also has changed. The previous standard “placed the main emphasis on looking at harm to the individual, which was causing some very subjective situations,” said Adam H. Greene, a partner with law firm Davis Wright Tremaine L.L.P. in Washington.
The old standard had been criticized for being comparable to “letting foxes guard the henhouse,” said William H. Maruca, a partner with law firm Fox Rothschild L.L.P. in Pittsburgh. The new standard “is supposed to be more objective,” and while not totally so, tends to move in that direction, he said.
“Where it might get tricky is when you choose not to notify,” said Sarah Stephens, San Francisco-based vice president with Aon P.L.C.'s financial services group.
Bruce A. Radke, a shareholder with law firm Vedder Price P.C. in Chicago said, “I think folks are going to err on the side of giving notification,” which will be expensive in terms of notification costs and conducting investigations “from a forensic and also from a legal side” in determining whether notification should be made.