Action is needed following HIPAA/HITECH final rule


As risk managers familiarise themselves with the requirements of the HIPAA/HITECH final rule, which stipulates strict rules for the handling and protection of patients’ personal health records, they must refocus on compliance and ensure their organization’s data breach response plan is up to date and appropriate.

That is the view of William Boeck, senior vice president, insurance and claims counsel for Lockton Global Technology and Privacy Practice. Risk managers must take responsibility for ensuring staff are up-to-date, he said.

“Likewise with any internal procedures that staff are asked to follow, ensure they are up to date and ensure staff are well aware of the privacy and security obligations that the company works under,” he said.

He added that where risk managers can influence the selection of vendors they need to make certain those vendors are HIPAA/HITECH compliant. This is especially important because the final rule extends direct liability for a violation of HIPAA rules to business associates and makes them answerable to the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS), who can investigate and fine them.

Another important aspect of the final rule is the presumption of harm in the case of data breaches.

“Under the interim rule that healthcare entities have been operating under for the last couple of years, entities were able to investigate whether a particular event would result in harm to affected individuals before determining that a breach triggering notification and other obligations had occurred,” said Boeck.

“Now, under the new rule there is a presumption of harm. That’s certainly rebuttable but it’s going to force all covered entities and business associates to react more quickly when an event that looks like it’s a breach has occurred.”

He said that in cases where protected health information has been disclosed, organizations will have to do a great deal of work in a short space of time in order to successfully rebut the presumption of harm in order to prove that no breach took place.

“Under the final rule we may see more entities giving notice of a breach event than they might have in the past because they’re unsure whether they can successfully rebut the presumption of harm, so they will err on the side of caution,” he added.

HIPAA/HITECH, Lockton Global Technology, risk managers,