The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) very recently released final modifications/regulations to the HIPAA Security, Privacy, Enforcement, and Breach Notification Rules. This new rule is called the Omnibus Rule.
The final rules, which took effect in March 2013, include increased liability for non-compliance, as well as provide for direct liability for Business Associates and their sub-contractors. This includes ACS. However, this ruling is of no surprise to ACS, and in fact, has been anticipated for quite some time. Long before the proposed regulations were released for public comment in 2009, ACS set it sights on complete and total understanding of protection of patient data, as it pertains to technical safeguards within our client environments. Our Safeguard program and risk assessment tools have been widely accepted throughout the Kansas City healthcare community, for many, many years now. We felt it important though to reitterate how important it is to choose the right business partner, particularly one that understands the highly regulated healthcare field.
It is also important to note that the final rules move HIPAA enforcement away from a traditionally voluntary compliance framework, and more towards a penalty-based arrangement. Willful neglect is at the top of the list. This is very important, and healthcare entities should pay particular attention to this one. Neglecting your computer network, in many respects, is like leaving your house unlocked when you are away. You never know who may walk in the door, or what they may do. In addition to malicious attacks of your data, complete loss of data is also a very real and serious point to consider. Imagine how your business would survive a complete loss of years worth of patient data, or for that matter, days or weeks worth of important business flow information or patient records. The results could be devastating, and more than likely, would be. So, in closing, ACS feels that regardless of what such a new ruling states, a comprehensive, common sense based approach to protecting data should always be top of mind. We are here to help with that.