The final rule becomes effective March 26, and final compliance is required by Sept. 23.
The new rule reflects two major changes with respect to firms' cyber activities: It significantly broadens the definition of healthcare providers' business associates, bringing many more downstream subcontractors and others under HIPAA's authority. These can include data transmission services, document and data storage organizations, personal health record vendors and financial institutions that lend to the healthcare industry.
It also changes the criteria to be used in deciding whether a breach requires notification, placing a greater onus on the healthcare provider to establish why notification should not be made.
“We see our clients making every due diligence to be HIPAA-compliant,” said Robert Parisi, network security and privacy practice leader for Marsh in New York.
Observers say many large healthcare providers are prepared.
Cris Ewell, chief information security officer at Seattle Children's Hospital, said, “We're a mature organization, and we have a very robust security and privacy program here at Children's, so I think we're going to be able to handle the requirements.”
He has worked with Portland, Ore.-based ID Experts, a data breach prevention and response firm.
“The largest and most sophisticated healthcare organizations will be able to embrace the changes and ... update their mechanisms to operate within the rules,” said Doug Pollack, ID Expert chief marketing officer. “I think the hard thing is when you get into the much smaller organizations,” such as rural hospital systems and clinics, which will have a “hard time keeping on top of all this regulatory structure.”
Meanwhile, many healthcare providers' business associates now covered by the rule were unprepared, which could potentially lead to millions in penalties, observers say.
The business associates rule is a “rude awakening for them because there are real penalties involved here,” said Cynthia Larose, a member of law firm Mintz, Levin, Cohn, Ferris, Glovsky & Popeo in Boston. Violations can total up to $1.5 million annually for identical violations of the same provision.
There are medium to small vendors, as well as “fringe” vendors such as collection agencies, that may not be ready, said Tom Srail, Cleveland-based senior vice president of FINEX North America at Willis North America.
Many vendors said, “Let's just wait and see what the actual regs come out with,” because sometimes regulations “fine-tune things” that were more broadly written in the law, said Steven Fox, a principal with law firm Post & Schell in Washington.
Drew Gantt, a partner with law firm Cooley in Washington, said many companies “just don't want to be subject to HIPAA” and will have to decide whether to continue in these business relationships with healthcare providers.
The analyses firms must undergo to determine whether there has been a breach requiring notification also has changed. The previous standard “placed the main emphasis on looking at harm to the individual, which was causing some very subjective situations,” said Adam Greene, a partner with law firm Davis Wright Tremaine in Washington.
The old standard had been criticized for being comparable to “letting foxes guard the henhouse,” said William Maruca, a partner with law firm Fox Rothschild in Pittsburgh. The new standard “is supposed to be more objective,” and while not totally so, tends to move in that direction, he said.
“Where it might get tricky is when you choose not to notify,” said Sarah Stephens, San Francisco-based assistant vice president with Aon's financial services group.
Bruce Radke, a shareholder with law firm Vedder Price in Chicago, said, “I think folks are going to err on the side of giving notification,” which will be expensive in terms of notification costs and conducting investigations “from a forensic and also from a legal side” in determining whether notification should be made.
—Crain's Business Insurance