The U.S. Department of Health and Human Services (HHS) is on the verge of implementing stricter privacy rules under The Health Insurance Portability and Accountability Act of 1996 (HIPAA) that will result in expanded and more stringent privacy and security requirements in the health and insurance industries and will allow patients to obtain a report detailing who has access to their confidential health information.
In February 2009, President Obama signed into law the American Recovery and Reinvestment Act (ARRA), which included a subsequent provision known as the Health Insurance Technology for Economic and Clinical Health Act (HITECH) that increased compliance responsibilities for health providers to provide augmented administrative, physical, and technical safeguards and documentation and policy changes in the storing and dissemination of client information under HIPAA.
The new Omnibus final rule, which is now under review by the Congressional Office of Management and Budget, will require increased security tracking requirements, provide for standardized breach notification to clients, and increased compliance enforcement for electronic protected health information. One big change in HIPPA privacy and security requirements will be that HIPAA rules will also now apply to business associates, including subcontractors, of the health provider. Originally, the rules only applied to the entity itself.
According to Ryan Morrissey, CTO of Applied Business Technologies of Delray Beach, Fla., a leading provider of call center software and platforms specifically designed to meet the increase HIPAA and HITECH regulations, health providers and those now covered by HIPAA under the new rules are working diligently to be ready to begin issuing privacy reports to customers once the Omnibus Rule takes effect, to take measures to ensure HHS audit compliance, and to increase their sophistication in monitoring and training their employees to otherwise meet the new guidelines.
"We have seen a great uptick in our HIPPA call center compliance business. More and more, call centers are increasing efforts to establish rigorous standards and to deploy HIPAA compliant call recording platform with the proper controls to monitor and evaluate call center representatives. These systems help in securing Protected Health Information in this evolving regulatory environment," said Morrissey.
HIPPA was passed by Congress with the intent to protect the privacy rights of individuals with regard to their confidential medical records. While health providers were required to keep medical information confidential, they were not obligated under HIPAA to inform patients who have accessed their information. When these changes are implemented by HHS, Americans will be able to the right to get a report from their medical providers or insurance companies detailing who has electronically accessed their protected health information.
In tandem with the proposed implementation of these new regulations, HHS has begun performing on-site compliance audits to promote conformity and review by covered health providers to HIPAA and HITECH privacy mandates.
If a covered entity is in violation, HHS can impose harsh sanctions, including an imposition of a $100 per violation penalty up to $50,000 per incident that can accrue up to $1.5 million in a calendar year; seek an injunction to stop the violations; and criminally prosecute offenders for knowing violations.
Violation of HIPPA can be costly. In February 2011, Cignet Health of Prince George's County, Md., was fined by HHS $4.3 million for violations of the HIPAA Privacy Rule.
The completion of the approval process for these HIITECH act regulations that amend the HIPAA privacy security and enforcement rules is expected to take place by the end of 2012.
"This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information," stated OCR Director Georgina Verdugo in May 2011. "We need to protect peoples' rights so that they know how their health information has been used or disclosed."