Healthcare providers could see a huge administrative burden under HIPAA, triggered by the recently released final omnibus rule from the U.S. Department of Health and Human Services. The rule adds muscle to HIPAA to better protect patient health information (PHI) in the new digital age. It also strengthens the HITECH Act (Health Information Technology for Economic and Clinical Health Act), which was enacted to stimulate the adoption of electronic health record (EHR) systems.
Cost trigger: The final rule shifts from a harm-based standard to a focus on the probability that PHI is compromised in any data leak, according to Lisa Sotto, head of Hunton & Williams's global privacy and data security practice, in an interview with InformationWeek. "The focus on harm to the individual and any injury the individual may suffer has been eclipsed by the question of whether the PHI has been compromised," she said.
An obligation is now imposed "all the way downstream" to every entity that has access to PHI. This results in "some very long chains of custody for data," she said. Providers will have to figure out who these downstream entities are and inform them that they are also on the hook for HIPAA compliance.
"This is an enormous administrative burden that's about to happen," Sotto said.