Although the Department of Health and Human Services' proposal to modify the HIPAA privacy, security and enforcement rules is not yet a final regulation, the time to prepare for compliance is now.

I recently had conversations with two lawyers who specialize in healthcare law and HIPAA, and they both indicated that the proposal followed the HITECH Act's requirements so closely that they anticipate there will be very few, if any, substantial changes in the final rule. So healthcare organizations and their business associates cannot afford to delay their efforts to comply with the proposal's complex provisions because they cannot be accomplished overnight.

Covered entities and business associates should not wait to implement changes to meet compliance.

The Department of Health and Human Services makes clear in its communications that health information must be effectively safeguarded to engage the public, obtain the trust of the public, and to advance the HHS goal of moving all healthcare information into digital forms. I was on the July 8, 2010, conference call announcing the HIPAA modification proposal, and there was no question in my mind after hearing the statements that HHS is going to more actively pursue enforcement of the HIPAA and HITECH information security and privacy requirements to help advance its electronic health records goals.

Federal officials stressed more than once that an important goal is to have consumers trust the health information system. This urgency to be in compliance with information security and privacy requirements now, as opposed to later, is evidenced by a passage on page 40909 of the HIPAA modification proposal, which states:

"For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards....To avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control."

So, to those covered entities (hospitals, clinics, insurers, etc.) and their business associates who were wondering when they need to be in compliance with information security and privacy requirements, the answer should be clear that they need to be in compliance now!

Here is a summary of some of the key elements of the proposed HIPAA modifications that organizations need to be aware of as they prepare for compliance:

• The definition of a business associate was expanded. For example, patient safety organizations are now included, along with health information organizations, e-prescribing gateways and "other persons that facilitate data transmission," as well as vendors of personal health records.
• Very significant is that business associates now must not only generally comply with the privacy rule and security rule, but they must also ensure their subcontractors are also in compliance. Business associates will now need to have their subcontractors enter into a type of business associate agreement to make sure that they are protecting information. As stated within the proposal, "In addition, a business associate would be required to furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations." This would imply that business associates and covered entities alike need to take due diligence steps to actively ensure that subcontracted entities are in compliance with the requirements.
• The definition of "electronic media" was updated. This is important because of how quickly the original definition became outdated. This clarification "removes a restriction as to what is considered to be physical electronic media, thereby allowing for future technological innovation." For example, now intranets are considered to be a type of "electronic media." Pointing to a NIST definition is a good way to have it more consistent with other laws and regulations that also use this definition.
• There were several changes with regard to the information included within the "notice of privacy practices" that must be provided to patients. Generally all covered entities and applicable business associates, such as those that write and/or distribute NPPs on behalf of covered entities, with responsibilities for providing the notices will need to update those dusty documents that are usually hiding in the desk drawers of the reception areas.
• There were some changes in limiting use and disclosure of protected health information, or PHI, including more information about the restricted elements, along with addressing how to document and terminate restrictions.
• There were changes for how individuals can obtain access to their PHI. The proposal requires that access be provided in the way preferred by the requestor, including honoring a request to transmit a copy to another person designated by the requestor. Another change also makes it clear that copies should be provided "without unreasonable delay and not later than 30 days."
• There were changes in how PHI can be used for marketing.
• The penalties and fines for non-compliance are also more clearly described, and more substantial.
• Requirements for safeguarding PHI were removed for information on those who have been deceased for more than 50 years.

Covered entities and business associates should not wait to implement changes to meet compliance. And, considering the proposal explicitly states, "...the covered entity remains liable for the acts of its business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place," covered entities need to also actively ensure their business associates are actively implementing the requirements or face "far more serious penalties."

Rebecca Herold, owner of Rebecca Herold & Associates, is known as "the Privacy Professor." For more than two decades, she has specialized in information security privacy, security and compliance. She has served as an adviser to organizations in a number of industries, including healthcare. She is working on the second edition of the book, "The Practical Guide to HIPAA Privacy and Security Compliance."