Tough new privacy regulations for healthcare providers go into effect today.

In January 2013, the Department of Health and Human Services proposed substantial changes to the Health Insurance Portability and Accountability Act's (HIPAA) privacy and security rules. Those final rules took effect in March, with covered entities expected to comply by Sept. 23 or start facing ramped-up fines and enforcement actions

The HIPAA Omnibus Rule, formally known as “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” is a package of numerous privacy-related rule changes. Chief among them is a provision that will lower or eliminate the “harm threshold” used to determine when a healthcare provider is required to report data breaches. Another change requires “business associates” and sub-contractors to abide by some of the same requirements as the covered entities they work with, including encryption standards for patient data that may pass into their hands. The rule makes them liable for breaches and unintended disclosures.

Fines can run as high as $1.5 million. To step up enforcement, the rule further empowers State's Attorneys General to be responsible for HIPAA compliance.

Other new rules: patients can request electronic copies of their medical records; and patients who self-pay for healthcare services can request that doctors not report those procedures to their health plan. 

 The HIPAA modification that calls for “business associates and sub-contractors” to comply with privacy requirements has generated the most controversy and will force healthcare entities assess their vendor contracts and agreements. Many of those service providers, especially if their core business falls outside the healthcare sector, may not be aware or ready for the new requirements.

That was borne out in a survey earlier this month by Coalfire, a governance, risk and compliance IT firm based in Denver. While a majority of healthcare business associates said they have assessed their compliance and have an incident response plan in place, fewer than half reported they are currently compliant with the final Omnibus Rule. A majority of business associates said they were unaware of their responsibilities under the new provisions. In addition, very few respondents admitted to signing a Business Associate Agreement, as required by the rule.

On a positive note, the majority of business associates surveyed said they have a process in place to report data breaches as required by the HIPAA Omnibus Rule.

Among the actions Coalfire suggests:

Revise your policies and procedures and retrain your employees. Many of the changes outlined in the final Omnibus Rule will require revisions to written policies and procedures and the implementation of changes to current practices.

Assess whether you are subject to a Business Associate Agreement. Business associates' subcontractors must carefully assess whether they are directly liable under HIPAA.

Take stock of your vendors and put the proper written agreements in place. Even though existing BAAs may be grandfathered in until Sept. 22, 2014, under certain circumstances, covered entities and business associates should start looking at their agreements and renegotiate them.

Audit your compliance. Be sure that you are prepared to face an audit or compliance investigation, that you feel confident about your level of compliance, and that you are in a position to defend your policies, procedures and practices.