The US Department of Health and Human Services’ Office of Civil Rights (OCR) modified the HIPAA Act with the HIPAA Omnibus Rule coming into effect from the first quarter of 2013.
The HIPAA Omnibus rule demanding high standards for breach notification regulations, enterprises worked to strengthen the privacy and security protection mandated by HIPAA. Other changes brought in included changes in privacy protection for genetic data, limitations on the use of information for marketing and prohibition of sale of personal health information without individuals’ permission, and also an increase in the penalty amount in case of non-compliance. Moreover, as part of the change, business associates and vendors who transmit, create and maintain protected health information were also made directly responsible for HIPAA compliance.
However, within a year of the enforcing the rule, the department of health and human services in their "wall of shame" recorded an increase from the earlier 674 incidents to 1,126 incidents, a whopping increase by 67 percent! As for the number of individuals affected, the chart moved up from 27 million individuals from Sept 2013 to 38.7 million till date, an increase of 43 percent! The largest breach added to the "wall of shame" since the enforcement of HIPAA Omnibus rule is the hacker attack at Community Health Systems resulting in 4.5 million affected individuals. Federal regulators and experts associate such a vast increase in the breach tally to various factors, such as the increase in hacking incidents and increase of insider threats, and the HIPAA Omnibus Rule for detailed breach notification itself making a significant contribution, since now security incidents are now presumed to be reportable unless healthcare organizations demonstrate that LeadFormix Confidentiathe risks are low.
Despite the heavy penalties, even one year after HIPAA Omnibus rule helping to build the awareness of HIPAA, there are still large number of business associates and covered entities who do not fully embrace HIPAA compliance. For the regulatory changes to create a lasting impact, these need to be backed by strong enforcement policies. While efficient risk assessment technologies will help in locating potential threats, the covered entities and business associates are required to review their agreements to ensure HIPAA compliance.
Deploying an automated HIPPA security and compliance management solution such as Aegify Secure GRC will facilitate the healthcare providers and practitioners to identify, remediate and maintain HIPAA and HITECH compliance for all establishments that handle PHI, especially with the OCR’s plans to resume its HIPAA on-premises audit program, including auditing BAs as well as covered-entities. Moreover, equipped with built-in frameworks that facilitates compliance as per the HIPAA Omnibus rule, this cloud-based delivery solution ensures that enterprises, vendors and business associates need no heavy investment for the new infrastructure. The automated processes in Aegify make it much simpler and easier in remaining secure and compliant.