HIPAA Omnibus, Meet Indifference
Do you want to know what you will be reading about in the coming weeks? HIPAA. The Department of Health and Human Services has updated the HIPAA requirements.
The 563-page package of regulations includes:
- Extensive modifications to the HIPAA privacy, security, and enforcement rules, including security and privacy requirements for business associates and their subcontractors.
- A final version of the HIPAA breach notification rule, which clarifies when a breach must be reported to authorities.
- Dramatic changes to marketing and fundraising requirements.
- Modifications to the Genetic Information Nondiscrimination Act (GINA) which prohibits health plans from disclosing genetic information for underwriting purposes.
With topics such as breach notification and marketing constraints, it’s the page-turner you’d imagine it to be. Hundreds of pages of distilled public comments and final rulings. Even if you’re like me, and have an interest in these esoteric topics, they are just words on a page. Does this change anything? Probably not. We have been hearing about the serious nature of HIPAA and HITECH for about a decade without meaningful changes to data privacy or security for health related information. While there is a renewed focus on discouraging healthcare firms from marketing protected health data, or selling patient data to third-party marketing firms, there is little do promote proactive changes to data security or privacy. HIPAA will remain a “topic of interest”, but see little action until we see serious fines or someone goes to jail. Expect lots of media coverage and very little action.