In this article, the new HIPAA Privacy and Security final rule—also known as the HIPAA Omnibus Rule—which became effective on March 26, 2013, is discussed.
Some thoughts…
- Access to protected health information by 3rd parties, such as vendor support staff, is mentioned. In the related article referenced at the bottom (note: link is broken; corrected link here), it mentions that “Third parties account for 40 percent of the breaches reported and 75 percent of the records exposed”. It will be interesting to see how effective a vendor’s support staff will be when they are unable to analyze data referenced in a reported problem; invalid or corrupt data is a common enough problem that analyzing the original data to eliminate this as a root cause of the problem is a routine task. Also, wide scale analysis of databases to detect frequency of missing or invalid data elements is also a common method. If this data is not made available, or is stored in an encrypted form (at rest), it will be interesting to see how effective current support methods and tools will be (may need to be updated).
- Same question as above for Business Intelligence (BI) applications that often mine databases (and sometimes files) containing patient record information.
- Encryption of data on disk (by the storage subsystem or the application) is relatively common (often as an option), but encryption of the database files is less common (though technically feasible with many database management systems). It seems to me that most of the detected and reported breaches are of laptops and portable media (e.g. USB drives).
- I wonder, if this rule is heavily enforced, if the fines will become enough of a revenue source to be viewed as a way of offsetting the costs of enforcement, or even funding—much like speeding and parking tickets subsidize police operations.
Don K Dennison 