And this time around when a BA or CE break the rules, they’re going to be paying much heftier fines than what was originally set forth in the interim rule.

Whereas organizations only faced penalties up to $25,000 for identical violations per calendar year under the interim rule, the final rule increases that amount to $1.5 million for a repeating violation per year.

For willful neglect breaches – meaning the organization failed to correct the issue – each individual violation is pegged at $50,000. The smallest penalty amount organizations could face is $100 per violation.

What’s new?
One of the first changes to note in the final rules pertains to the very definition of breach. The interim rule originally stipulated that a breach compromised the security or privacy of protected health information and posed significant risk of financial, reputational or other harm to an individual – often called the harm standard.

In the Omnibus final rule, not only was the harm standard removed but also a breach is now defined as "impermissible use or disclosure of PHI is presumed to be breached unless an entity demonstrates and documents low probability PHI was compromised."

"There are two changes there," said Robert Belfort, healthcare attorney at Manatt, Phelps & Phillips, in an interview with Government Health IT earlier this year. "First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach."

Also among the most significant changes in the final rule is that business associates are now accountable for violating specific privacy and security rules.

This should have come as no surprise to BAs, said Rodriguez. "We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations," he said.

Despite this, many BAs are still lagging behind in many regards, said Kobus. From his line of work, he sees many business associates much less prepared than covered entities. "We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions," he explained.

Kobus said that between 30 to 70 percent of privacy and security breaches involve a vendor, which gives the government tremendous pressure to also make BAs liable and follow up with investigations.

But, it's not only that the BAs are often lagging behind. Many covered entities are assuming they’re more off the hook than before.

Kobus sees a lot of covered entities that have questions over whether or not they’re off the hook and don’t have to worry as much as they did in the past now that business associates will be held directly liable for violations. “The answer really is 'no,'" said Kobus. "We still have to keep in mind the covered entities are still responsible for their own violations of the HIPAA privacy and security rules, and business associates are going to be responsible for their violations."

The final Omnibus Rule also expands the definition of business associate to include; health information organizations, e-Prescribing Gateways, certain PHR providers, patient safety organizations, data transmission service providers with access to PHI and contractors involved with PHI.

Additionally, the rule also stipulates that a contract between BA and subcontractor is required and it must be as stringent as the contract between a CE and a BA.

As far as patient control goes, in many ways, the rule imposed tighter restrictions on what organizations can do with patient data without their consent. Patients can now insist their health data is not shared with other groups if they pay for the specific medical services out of pocket, and certain patient information cannot be sold without that patient’s consent.

BA Agreements
Lynn Sessions, Houston-based healthcare and privacy attorney with Baker Hostetler, works with many healthcare providers as they’re updating their business associate agreements, primarily with the larger, more sophisticated BAs. What she’s seeing are protracted, lengthy negotiations around BA agreements, particularly with respect to limitations of liability and indemnification. "We’re encouraging our healthcare clients to include indemnification and perhaps even insurance requirements as part of their business associate agreements so they’ve got protection should a breach take place or if there is a regulatory inquiry," said Sessions.

Some of the business associates are expecting it, she added, as they understand they’re doing business in the healthcare arena. Others, however, who are new to the party, such as providers who thought they were never BAs in the first place are playing catch up. "And so, what used to be in some instances, just kind of the cursory, 'Sure I’ll sign your business associate agreement,' has become a much more detailed negotiation where some covered entities have had to hire counsel," said Sessions.

Now that this piece is more stringent, "I think OCR has gotten covered entities and now business associates’ attention with the fines that have been levied over the last several years," she added.

Jeffrey Brown, chief information officer at the 178-bed Lawrence General Hospital in Lawrence, Mass., said the hospital’s contracts with BAs haven’t changed at this point, but they are in in the process of cataloguing all their third-party associates. “We’re going back, doing a detailed review and analysis of the verbiage within those BAAs,” he said. He estimates they have about 75 to 125 business associates at a minimum from an IS perspective. From an organizational perspective, that number is much higher, he says.

In many cases, however, he has noticed these third-party vendors are starting to be proactive, and so Brown is seeing addendums coming through.

Doing it right
Lawrence General Hospital has never experienced a HIPAA breach – for good reason.

"I wouldn’t say (we’re) lucky," said Brown. "Privacy and security and compliance are something that is at the top of our priority list."

Hospital employees are not allowed to bring their own devices to use for clinical purposes; rather, the hospital provides cellphones and laptops to specific employees. All devices are password protected and updated with the latest encryption technology.

If someone loses a cellphone or an employee is terminated, officials have the ability to go in and wipe that cellphone clean of any kind of data. And they do.

Moreover, Lawrence General brings in consulting firms to conduct regular risk analyses and assessments, and a hospital committee meets monthly to discuss the ever-changing nature of privacy and security issues.

This element proves crucial, he says, as the matter is far from static. “Privacy and security in the old days was kind of looked at as a once-and- done deal,” said Brown. “It was something that you did yearly or every two years. Risks and mitigations were presented to the organizations, and you kind of checked the box. And I think now what’s happened is it really is a program and a process that organizationally, and I think culturally, needs to become part of the fabric of what all healthcare entities need to practice,” he explained.

Brown admits there’s an upfront cost to comply with these rules, but views it as a real return on investment. “When you update kind of this triad of people, process and technology, it not only puts the consumer in a better place to be protected but also the organization."

Kobus agrees. He says some of the biggest mistakes by CEs and BAs are lack of education and employee awareness, “people not understanding why it’s critical to protect this type of information,” he said.

But it’s not always a clear cut procedure, especially for larger institutions, added Sessions, who said healthcare organizations notoriously have a lot of policies and procedures in place. “What I can see is that policies and procedures get implemented, and there may be an area in the hospital that wasn’t thought about,” she explained. “There is so much information about patients that are used in healthcare organizations that to be able to ensure education to everybody, that they understand the policy and procedures that are in place and frankly that the drafters of the policy and procedures understand all the data out there can be difficult.”

Micky Tripathi, chief executive officer of the Massachusetts eHealth Collaborative, also offered insight into how to handle a breach properly when it occurs from the perspective of someone who has been through one.

Back in 2011, Tripathi reported that an unencrypted MAeHC laptop containing 14,475 patient medical records was stolen from an employee's locked car. After going through the process of notifying patients, contacting attorneys, changing policies and working to rectify the situation transparently, Tripathi learned a few things.

No one, he said, is immune from data breaches. But, an organization can be immune from much of the aftermath depending on how it’s handled.