On September 23rd 2013, the HIPAA Omnibus Final Rule went into effect. This update is the most sweeping change to the HIPAA regulations since they were first instituted in 1996. For IT professionals the most interesting element of this update is the requirement that health care providers grant patients access to their health records in electronic format upon request. Couple that data access requirement with the Affordable Care Act’s (ACA) mandate that medical providers switch from physical patient charts to electronic records, and suddenly we've opened the door to a truly incredible Big Data revolution for healthcare IT.
“Any long term solution to the economic issues plaguing healthcare will involve the rise of smart machines.” -- Derek Collison, CEO of Apcera
Today, there are more than 250 million Americans with active health coverage and with the implementation of the Affordable Care Act, that number will most certainly increase. The wealth of data that each patient generates from every physician visit, medical test, prescription and ensuing medical transactions are enormous. The new electronic requirements will open a massive door of opportunity for companies to create technologies that capture and analyze the flood of ensuing data.
Just imagine the insights that can be derived from the ability to crunch medical test records from millions of users, or the prediction algorithms customers have become familiar with from Google and Facebook, but used for medical information. Imagine the ability to integrate the “internet of things” - day-to-day sensors (think FitBit or Jawbone, or digital scales) into real time medical information. The moment for transformative discovery has arrived and beyond the economic benefits for companies riding this wave, the social benefit of being able to drive down healthcare costs and realize better patient outcomes is unparalleled.
But as new startups enter the market to capture this tantalizing opportunity, they’ll need to remember that new HIPAA Omnibus does more that present them with a lucrative opportunity. It now tightens up regulations and adds teeth to their enforcement. Historically, the government has taken a fairly lax stance for those found to have leaked personally identifiable information (PII) and patient health data. These new Omnibus HIPAA regulations change the liability and fines in a dramatic way. And the Department of Human and Health Services has made it clear that they intend to hold organizations significantly more accountable.
This means that startups rushing headlong into the healthcare big data boom need to make sure their compliance strategies aren’t an afterthought. With great power comes great responsibility. And now there will be great penalties for those that do not take that responsibility seriously. Now the Omnibus regulation changes the maximum penalty for security breaches to $1.5 million per violation.
Unfortunately, unlike PCI compliance, ensuring HIPAA compliance isn't as simple as following a checklist of actions. HIPAA requires that an organization follows a number of "industry best practices" across a multitude of areas but does not define what those industry best practices actually are. The vagaries can leave IT organizations unintentionally exposed. Complicating things further, HIPAA compliance goes well beyond purchasing “compliant” hosting infrastructure. Applications must be designed in a secure way and internal policies and procedures have to be defined and enforced.
Startups like Accountable are entering the market to help make the HIPAA compliance process easier. Other companies can help provide a “HIPAA compliant” hosting infrastructure that is designed to meet those core industry best practices. Regardless, effective compliance that won’t expose you to risks means taking a thorough 360-degree approach. Now more than ever, it’s crucial to work with an auditor like Coalfire to help build your formal HIPAA compliance plan from top to bottom.
It’s rather straightforward – CYA. A seemingly small mistake could bring about massive penalties that will crush a startup. Don’t rush blindly after the revenue attached to the impending big data explosion in the healthcare industry. Respect and protect the data like you never have before, because too much is at stake.
This post was originally published on the Washington Technology Industry Association website on Sept 23, 2013.
Have you read the news?
Rumor has it this cloud thing is taking off.