In a year where "compliance and enforcement is really where the action is going to be," it might help to have some advice on how to keep on the right side of patient privacy law.

That promise, delivered recently at HIMSS14 by Susan McAndrew, deputy director for health information privacy at HHS' Office for Civil Rights, served notice to health organizations and their business associates that fines – potentially big ones – were in the offing in 2014 for those who don't comport with the new HIPAA omnibus rule.

But attorney James Wieland, principal at Ober|Kaler's Health Law Group, also had some hints for those who might still be unclear on the rule's more obscure aspects. He sought to give some advice on the "things causing interest and confusion in the minds of the clients I take care of."

For one, he reminded the audience rights to electronic access are just as important as rights to privacy.

"The rights of the consumer are now more and more exercised because more records are stored in electronic form, and more and more people in all age ranges are aware of their access rights," said Wieland – who reminded providers "you can charge for the media if you provide it. Most providers will not let someone else's thumb drive go into their system, so the ones I know will typically buy (USB drives) in bulk and just make them available at cost. You are within your rights to do that.”

Another often-overlooked fact: Explicit approval is needed any time PHI is transferred, even if it's at the patient's request. "If you get directions or requests from an individual to transfer their personal health information to a third party, you must get them to clearly state it – in writing – or you will be at risk," he said. "And I would recommend that if it's through a non-secured means, such as transmittal over the public Internet, you get a consent or acknowledgement from the individual that says, 'I understand the risks of sending this in non-encrypted form.'"

Crucially, said Wieland, the importance of a "real, demonstrable risk assessment" cannot be overstated.

This particularly goes for "providers that do not have their own in-house IT staff, that may be relying on a vendor to provide the security," he said. "It is one of the first thing in the current environment of enforcement that OCR will ask for if you're investigated for any kind of breach. I tell small providers they can do it themselves, but I direct them to a copy of the first annual guidance, published almost two years ago. It goes through, in detail, about just what OCR expects in terms of risk analysis: It's a thorough review of where PHI flows within your organization and a stratification of the risks, and a mediation plan.”

After all, beyond avoiding fines, meaningful use dollars depend on it. "For reasons that have always eluded me, meaningful use has one thing that has nothing to do with EHRs, and has been the subject of a great deal of meaningful use audits – and that's having your risk assessment that includes the electronic health record system," he said. "The other thing to note is that under meaningful use, as opposed to under HIPAA, you have to do that every year. With HIPAA, you have to do it when you have major changes in migration."

According to the 2013 HIMSS Security Survey, 92 percent of organizations do conduct a formal risk analysis but just 54 percent say they have a tested data breach response plan.

"Healthcare organizations are increasingly deploying technologies to increase data security, but continued analysis is crucial in ensuring the proactive prevention of data breaches within hospitals and physician practices," said Lisa A. Gallagher, vice president of technology solutions at HIMSS, in a press statement. "Without these anticipatory measures, security of patient data will remain a core challenge within our nation's healthcare organizations."

"The old rule – why change it?" Wieland asked, referring to HIPAA. The simple reason is "the sea change that has happened since the interim rule was published – the rise of electronic media, of electronic transport and the concomitant rise of loss of data. I think there was good reason to tighten up the rule."

Another "major motivation" was "OCR and the Secretary perceived people were being too liberal under the old rule," said Wieland. "And when you look at it, there really is a difference between a subjective analysis of, 'Can the individual be harmed?' and an analysis of, 'Has the information been compromised?' Because compromise is something that is much more objective."

Some people have argued that, despite all the attention it's gotten in the past year or so, HIPAA "hasn't really changed much," he said. "I would suggest otherwise. I would suggest (processes) must be much more analytically rigorous and much better-documented."

Toward that end, Wieland added one more thought on breach notification: "Always remember that, even if you don't have to send a notice, it's subject to accounting, and while individuals have not necessarily been aggressive in getting accounting, if they do, when they see this and make a complaint, and you haven't filed, or don't have a rigorous, defensible analysis of why it wasn't called a breach, you could be in, uh, I think the legal term for it is 'deep doodoo.'"