Ober|Kaler's Health Law attorneys are regular contributors to Medical Laboratory Observer's "Liability and the Lab" column at mlo-online.com. This article appears in the November 2010 edition.

The culture of HIPAA compliance is about to change, driven by significant changes in the law. The OIG has been encouraging a "culture of compliance" with the antikickback laws for a number of years, which has resulted in a general awareness in clinical laboratories. Most in the health care industry, for example, know that giving a physician something of value to reward referrals is not acceptable. Few are likely to know what the foundation for compliance with the HIPAA Security Rule is, but that is changing as well.

The HIPAA Security Rule, which is basically a series of technologically neutral touch points for developing HIPAA-compliant processes and procedures for safeguarding protected health information in electronic form (ePHI) has been in effect for nearly 10 years now, but has generally received less attention than has the HIPAA Privacy Rule. The federal HIPAA enforcers have published a draft of their first annual guidance on the provisions of the HIPAA Security Rule: HIPAA Security Standards: Guidance on Risk Analysis (the Draft Guidance). Under the HIPAA Security Rule, it is not enough to be secure; documentation of the decisionmaking process that led each clinical laboratory or other HIPAA-covered entity to select the means of achieving security for ePHI at rest in or transmitted by the covered entity is required. The risk assessment is described in the Security Rule as "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the covered entity."