The penalties per violation range from $100 to $50,000, depending in part on whether the violation was caused by ignorance or willful neglect, with a maximum of $1.5 million per year for violations of a specific provision.
Berger said he thinks the new focus on BAs will yield substantial dividends. "Given that more than 50 percent of PHI breaches to date have involved a business associate in some way or another, we should expect great improvement," he said.
The HIPAA update requires custodians of PHI to make sure it is "unusable, unreadable and undecipherable" by any unauthorized parties, which Redspin also said it expected to curb the number of, and damage from, data breaches, since that would require encryption on all portable devices (a third of all large breaches to date were caused by the loss or theft of portable devices).
Security experts offer mixed opinions on how much those recommendations and the new Omnibus Rule will reduce breaches of PHI. Danny Lieberman, CTO of Software Associates, is dubious. "I think the Omnibus Rule has low-balled the amount of work that BAs and hospitals need to do to detect and prevent data loss," he said.
Lieberman noted language in the new rule that says BAs and subcontractors, "should already have in place security practices that either comply with the Security Rule, or that require only modest improvements to come into compliance..."
"There is no basis in the empirical data — considering the volume of data breaches —to make statements like that," he said. "The U.S. healthcare system is so complex, I don't see how making data breach a criminal offense will mitigate the attacks on PHI."
Martin Fisher, director of information security for Wellstar Health System, is more optimistic. While he does not think the number and breadth of breaches will decline immediately, "if enough traction happens, over time you'll see the number of breaches come down," he said, comparing it to improvements in standards for the Payment Card Industry (PCI). "That is a good template for what you are likely to see," he said.
Fisher said one of the best things about the update is that, "it provides a sense of finality to the rule. Operating under an interim rule always makes you question the investments you are going to make —will the BlinkyLight you're buying meet the final requirement? That sense of certainty is a very good thing."
There is also some doubt that encryption will provide bulletproof protection to PHI. The mantra in the security for years has been, "encryption is not enough." Berger argues it is, "one heck of a way to start," he said. "More than 50 percent of the breaches to date would not even have qualified as reportable breaches if the devices had been encrypted. Ultimately, security is about reducing risk," he said.
Sign up for CIO Asia eNewsletters.