Be Proactive to Avoid HIPAA Violations

When it was first introduced in 1996, the Health Insurance Portability and Accountability Act (HIPAA) aimed to make it easier for patients to transfer their health coverage from one carrier to another, and move their records from one physician to the next. But in recent years the focus has shifted almost exclusively to data privacy and security.

The timeline of this evolution is full of numerous milestones, additions, and modifications to the initial law. The latest, and perhaps the most sweeping, modifications to HIPAA come by way of the so-called HIPAA Omnibus Rule. The main message of the omnibus rule: data security must be taken seriously. And if it’s not, the consequences will be significant.

Business Associates

One positive development for physicians coming out of the Omnibus Rule, is that they now share the liability for data breaches with their business associates, says Jorge Rey, CISA, CISM, director of information security and compliance with the audit department for Kaufman, Rossin & Company, a Miami, Florida-based accounting firm.

A practice must first identify all of its business associates. Contractors who do not come in contact with PHI are not considered, for purposes of HIPAA, to be business associates. A business associate agreement (BAA) should be drafted for each one who falls under the definition.

The agreements spell out the obligations of the BAs, and their subcontractors, to abide by HIPAA rules, which they weren’t required to do before the omnibus rule. If the BA is responsible for a breach, the notification responsibilities can be fully delegated to them. But Adelman suggests practices retain that responsibility themselves.

“The business associate determines there was a breach and they give notice to the patients,” Adelman says. “The problem with that is, what if it wasn’t a breach and they give notice? Say it was my accounting firm. Do I really want my accounting firm telling my patients they accidentally disclosed all this information and it’s out there?”

He suggests that covered entities include in their BAAs that in the case of an incident, the business associate works with the covered entity to determine if it was a reportable breach. If so, the BA and covered entity determine—together—the message to the patients. The BA can take full responsibility of the cost of notification, however.

HIPAA had long been a set of rules without teeth, so many practices didn’t take it seriously. Diamond says patient attitudes have made it important for practices to comply. “Consumers know more about the vulnerability of their information and are demanding protection of privacy,” he says.


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.