In a press release issued last week, the U.S. Department of Health and Human Services (HHS) announced a long-awaited update to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS Secretary Kathleen Sebelius gave the understatement of the year in the announcement: “Much has changed in health care since HIPAA was enacted over fifteen years ago…”

Some of the most significant changes in health care have been as a result of the original requirements of HIPAA. Now everyone who has been to a medical professional is familiar with signing a consent form indicating they have seen a Notice of Privacy Practices.

This update to HIPAA, which will go into effect on 3/26/2013 and require compliance by 9/23/2013, has a number of significant changes. (You can read the Final Omnibus Rule on the Federal Register’s website here.) We will be posting a series of articles over the next few weeks that detail the changes, and what impact the changes will have on organizations and individuals throughout both the healthcare industry as well as the information technology industry. You can keep up with these articles on the Gemini Security Solutions website. (Update: a roadmap of all our HIPAA posts can be found at this link.)

One of the most significant changes is that the new HIPAA will be expanding its scope. Previously, legal liability for failing to meet requirements of HIPAA were restricted to “covered entities”, which is defined as either (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. Covered entities would be responsible for any of their business associates by proxy.

In the new rule, the HHS  will now also be able to hold the business associates of covered entities directly liable for compliance with certain requirements related to the HIPAA Privacy and Security rules. Generally, “business associate” means an individual or organization that “creates, receives, maintains, or transmits protected health information”; read the full definition in the final rule text here.

The impact of this new rule is clear; many more organizations are now directly liable for HIPAA violations. Any time protected health information is being shared with an outsourced organization, such as a cloud or software-as-a-service provider, an e-prescribing gateway, or a personal health record application, the outsourced organization will need to comply with the security and privacy portions of HIPAA by September of this year. Companies that have been acting as ‘common carrier’ types of organizations, that store information but do not really care what information is being stored can now be held directly liable if protected health information is misused.

Now might be the time for organizations that see potential HIPAA legal liability in their future to consider performing an assessment so they can understand how well they protect information, and how prepared they are for this upcoming regulation.