Get set: New HIPAA has teeth

The HIPAA Privacy and Security final rule, also known as the HIPAA Omnibus Rule, became effective on March 26. The new rule changes the breach notification process, shifting the burden of proof to providers who must now prove their innocence when patient data is breached. Providers and their vendors have 180 days to comply or risk enforcement actions and penalties. The addition of business associates under the rule could catch companies off guard and unprepared. The Office for Civil Rights has already prosecuted five covered entities, indicating increased enforcement going forward. Providers should conduct risk assessments and ensure their vendors are protecting personal health records according to the new rule.