E-Rules and Small Business
A new rule is being pass mostly for small businesses to help protect private customer information. It is not about someone hacking into the computers and getting the info but for other people in the offices.
Before the rule the individual businesses were responsible to make sure that employees who had no business seeing certain info were blocked by turning the monitor or putting on a glare filter.
This ruling was pass in 2003 but like most of the rulings in HIPAA no one seems to pay attention to them. I doubt they break out in a sweat as deadlines pass them by. The last deadline was April 21. I wonder if they set another date.
RSS 2.0
May 8th, 2006 at 6:01 am
The article “HIPAA e-Rule Surprises Small Businesses” lacks a degree of accuracy. To my knowledge, no “addendum was slapped on the Health Insurance Portability and Accountability Act of 1996” in 2003. What occurred in 2003 was that the HIPAA Security Rule, first proposed in 1998, became final. By its terms, and the statutory language of HIPAA, the Security Rule applies only to “covered entities,” which includes most healthcare providers, healthcare clearinghouses, and health plans (both fully insured and self-insured). Although the Security Rule became final in 2003, most covered entities were giving two years to implement its requirements (until April 20, 2005). An exception was made for “small health plans” (not small businesses), which were given until April 20, 2006, to complete their Security Rule implementation. The Security Rule’s applicability to all health plans – whether large or small – was part of the Security Rule from the time it was proposed in 1998 and from HIPAA’s enactment in 1996.
The article overstates the Security Rule’s impact on a small health plan (and on the business which is the plan sponsor). First, the Rule only mandates measure for defined “electronic protected health information” or “ePHI”. It does not apply to employee information which is not ePHI such as job performance reviews, etc. For example, if an employer requires mandatory periodic drug testing of its employees as a condition of employment, the drug test results are not ePHI and the Security Rule doesn’t apply (that is not meant to say that a business should not protect that drug testing information – just that securing the information in electronic form is not regulated under the HIPAA Security Rule.
Overlooked by the article is the fact that small health plans have been subject to the HIPAA Privacy Rule since April 14, 2004. The Privacy Rule contains within it what has been termed to be the “mini-Security Rule,” which required small health plans to adopt administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of all protected health information (whether in paper, electronic or some other format) beginning in 2004. For health plans themselves, particularly those that are fully insured (where the insurance company providing the health benefit payments is the covered entity), compliance with HIPAA is the responsibility of the payor/insurance company. For self-insured plans that use a third party administrator, the TPAs have generally taken on a lot of the compliance burden as they, not the employer, create, receive, transmit and maintain most of the ePHI to be safeguarded under the Security Rule.
Statements in the article that “HHS may be looking to show its teeth, and make an example out of the first batch of rule-breakers it catches” is hyperbole – the type of statement that is all too often used as a scare tactic by vendors and others seeking to “sell” compliance solutions. The enforcement reality is that, in the three years since the Privacy Rule went final (and two years after small plans were required to comply with the Privacy Rule), HHS has not levied a single civil fine in its handling of more than 12,000 Privacy Rule complaints. Moreover, the Office of e-Health Standards and Services within the Centers for Medicare and Medicaid Services, which has HIPAA Security Rule enforcement responsibility, has not levied any civil fines under the HIPAA Security Rule. In publishing the February 16, 2006 final HIPAA Enforcement Rule, HHS did not give the “security rule teeth.” The rule merely set forth what had been the practice in enforcing the HIPAA Security, Transaction and Privacy Rules for more than a year. Finally, the article states that “HHS does not have authority to audit companies as a way of ferreting out violators.” This is incorrect – HHS does in fact have authority to investigate, on its own initiative, covered entities for compliance with the HIPAA Privacy and Security Rule, under the HIPAA statutes and the Rules. What is true is that, to date, HHS has determined, for a variety of reasons, not to exercise this authority.