Get Set: New HIPAA has Teeth

The HIPAA Privacy and Security final rule — also known as the HIPAA Omnibus Rule — became effective March 26. One expert predicts enforcers will have a heyday with expanded ability to crack down on providers and their business associates.

According to Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin, the biggest difference in the new rule is a change in breach notification. Under the old rule, providers were presumed innocent of harming patients when a breach occurred – until they proved otherwise. Under the new rule, providers are presumed guilty of harming patients when data is breached. They will have to prove their innocence.

Providers and their vendors and subcontractors have “in theory,” 180 days to comply before the Office for Civil Rights begins enforcement of the Omnibus Rule, beginning Sept. 23, 2013, Rey warns. But this doesn’t mean providers shouldn’t beware. They still will be held accountable under the old HIPAA rules until then, he says.

The addition of business associates under the Omnibus rule could catch some companies and providers unaware and unprepared, Rey warns. “A lot of business associates didn’t plan for this,” he says of the expanded HIPAA rule. “They have never had to comply with HIPAA before.”

According to Rey, OCR has already prosecuted five covered entities, with the settlements ranging from $50,000 to $1.7 million. The smallest OCR enforcement action involved the breach of fewer than 500 records. “I think they are putting out the message that they are serious about enforcement. They are going after small and large cases,” Rey says.

He said he had received emails from OCR indicating the agency is starting to hire enforcement officials. “There’s going to be a lot of enforcement going forward,” he says.

How to prepare? Reys says small provider groups, short on resources, can rely on parent organizations or even government programs to help them do risk analysis. “Don’t take this lightly. The main reason covered entities ran into big problems with OCR last year, was they didn’t conduct risk assessments,” he says. “Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule.”

In addition, “create a visual map of your data; understand where your data is,” Rey says. Encrypt data in laptops and determine if data might best be kept safer in a centralized location. He points out that PCs and servers are also vulnerable to breaches.

Read about this HIPAA article at

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.