It caught my attention for two reasons.
- It was in my backyard
- It involved the Health Insurance Portability & Accountability Act (HIPAA)
What can I say? I’m a HIPAA geek.
I didn’t start out that way. I was drafted when I was a senior consultant at Mercer Human Resource Consulting.
I was minding my own business when my bosses decided I should learn about a little thing called HIPAA. Thus, began my love/hate relationship with HIPAA.
Health plans and employers that sponsor them may soon have a similar reaction. Although their reactions may lean more towards hate than love.
What is HIPAA?
For the uninitiated, there’s a good chance you already know about HIPAA.
It’s the legislation that has your physician office producing yet another form for you to sign. This one to do with privacy.
President Bill Clinton signed the Health Insurance Portability & Accountability Act into law in 1996. There are three parts to HIPAA, as illustrated below.
Protected Health Information
The part causing Idaho State University (ISU) problems is Title II that deals with privacy and security.
As the Press Release indicates, ISU agreed to pay $400,000 to settle alleged violations of HIPAA’s Security Rule, involving a breach of unsecured electronic protected health information.
Trust me, ISU is not the first to have had a problem protecting health information.
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) enforces the HIPAA Privacy & Security Rules.
According to its site, HHS/OCR investigated nearly 29,000 HIPAA privacy cases. Almost 20,000 cases required corrective actions.
One of the early complaints from privacy advocates was the lack of bite in addressing violations.
It looks like that may change.
Tougher Sanctions on the Way
The recently updated Final Omnibus Rule strengthened the protection of protected health information (PHI).
One of the most significant changes is in the definition of a breach.
- Previous language defined a breach as one causing significant financial, reputational or other harm to an individual
- The final omnibus rule removes the harm standard from the definition
What does that mean for health plans?
The new standard presumes a breach occurred, unless the health plan can prove a low probability that PHI was compromised.
Four factors influence the risk assessment of a presumed breach.
- The nature and extent of PHI
- The person who used or received the PHI
- If the PHI was acquired or viewed
- The mitigation taken
The maximum penalty is $1.5 million – per violation.
Most of the new rules are effective September 23, 2013. So, there is still time for compliance – not a lot – but time.
Employer sponsors of health plans should be speaking with legal counsel. You probably don’t want to be featured in an HHS Press Release any time soon.
Check Free Stuff/Health Care Reform for a nonlegal interpretation for a checklist for a HIPAA/HITECH 2013 Checklist for Employer Sponsors of Health Plans.
Notice of Disclaimer –Cathy Miller is not an attorney or health care provider and cannot provide legal or health care advice. The information provided is for your general background only, and is not intended to constitute legal or health care advice as to your specific circumstances. We recommend you review legislation with legal counsel and visit your physician for health care issues.