Government & Policy

4 steps for business associates to comply with omnibus HIPAA

By Rick Kam
September 20, 2013
06:51 AM

When the HIPAA Final Rule on Privacy and Security kicks in on September 23, the privacy game changes for HIPAA covered entities (CEs). But for their business associates (BAs), the stakes rise by a quantum leap.

For CEs, the effects of the Final Rule are mostly incremental because the compliance structure remains unchanged; the biggest change is a revised threshold (aka the compromise standard) for breach risk assessment and notification decision, but basic privacy and security requirements are the same.

For business associates, however, the Final Rule deadline raises the risks of non-compliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities, making them subject to HHS regulatory fines and corrective action plans, as well as civil monetary penalties.

Guilt by association
Some of the organizations newly affected by the Final Rule may not even know that they are business associates. According to the new definition, any entity that “creates, receives, or transmits” protected health information (PHI) on behalf of a HIPAA covered entity is now considered a business associate and directly liable for non-compliance.

This definition also encompasses subcontractors that manage PHI and other specific categories of organizations, including:

  • Health information organizations (HIOs)
  • E-prescribing gateways
  • Patient safety organizations
  • Vendors that provide services, involving PHI, on behalf of a covered entity
  • Data storage vendors that maintain PHI even if their access to PHI is limited or nonexistent

This means that even vendors providing generic outsourced IT services are now liable for HIPAA compliance. At this point, every organization that does business with HIPAA covered entities should be coming up to speed quickly on the Final Rule and the impending risks, and implementing a compliance plan.

Surviving double jeopardy
The Department of Health and Human Services Office for Civil Rights (OCR) will now include business associates in its HIPAA compliance audits, and business associates stand to lose in multiple ways if they are found to be non-compliant or in the event of a PHI breach. The direct financial risk is considerable: BAs face the same penalties as CEs — potential fines ranging from $100 to $50,000 per violation depending on the root cause of the violation and corrective action timeline (with a cap of $1.5 million on violations of identical provisions happening within the same calendar year).

The indirect risk may be greater still: a PHI breach due to negligence or willful neglect or mishandling of a breach situation could risk business relationships with the affected CEs, and reputational damage could affect multiple CE relationships on which the businesses depend.

[NHITweek: Mostashari says ONC will keep punching above its weight post-HITECH.]

Covered entities have had years to understand and meet regulatory requirements to protect PHI. With the Final Rule deadline looming, business associates don’t have the luxury of time. They need to immediately assess their relationships with healthcare-related organizations and take key steps to ensure compliance:

1. Determine which business relationships entail HIPAA compliance obligations: Remember that just because these obligations are not called out in a contract doesn’t mean that your organization isn’t considered a business associate under HIPAA. HHS is the ultimate judge and the jury in this regard.

2. Conduct a HIPAA compliance assessment: The assessment will evaluate regulatory obligations, current level of compliance, and gaps with respect to HIPAA-HITECH Privacy, Security, and Breach Notification Rules, as well as state laws. A compliance assessment will provide an actionable evaluation of compliance gaps, a priority ranking of PHI security risks, and recommendations for mitigating those risks. Best practice suggests a HIPAA compliance assessment should be conducted annually to monitor changes and progress against the initial baseline assessment.

3. Develop an Incident Response Plan (IRP): A ready-to-execute Incident Response Plan demonstrates the organization’s breach readiness in case of an actual incident or OCR audit, and enables staff to mitigate the risks of a potential data breach. A well-designed Incident Response Plan will:

  • Identify the roles and responsibilities of the Incident Response Team
  • Guide the team’s incident risk assessment and decision whether the PHI related incident is a data breach
  • Define the organization’s policy for managing a data breach
  • Explain the relevant regulations for responding to a data breach, including notification requirements
  • Guide the team through all phases of managing a data breach — discovery, investigation, and response

4. Implement an incident risk assessment methodology and tools: Evaluate and procure decision support software to help the organization comply with HIPAA/HITECH’s revised and complex PHI compromise standard and state data breach regulations. Every privacy and security incident is unique and requires consistent incident risk assessment that incorporates the minimum of four factors outlined in the Final Rule. The risk assessment outcome must be documented and used to determine if notification is required. A compliant risk assessment and decision support tool can help the incident response team execute a timely and effective breach response that protects patients and business partners and ensures regulatory compliance.

Be prepared
For covered entities, the Final Rule extends the burden of oversight: CEs must manage more aspects of security with, potentially, a wider group of business partners. Business associates can expect their CE customers to be reviewing contracts, looking hard at their privacy and security policies and practices, and asking for proof of up-to-date risk analysis and mitigation strategies, IRPs, and incident management programs. BAs should also be sure their business processes are up-to-date on new rules regarding patient control on disclosure of PHI and delivery of electronic medical records on patient request.

The wider definition of business associates is putting a burden on many businesses to do a great deal of security work in a short time. The upside is that the effort is likely to strengthen communication and collaboration with business partners, it will protect the business for the long term, and interaction with CEs may even lead to new business opportunities for custom system integration or new service level agreements.

In any case, greater safety is a win-win for the organization, its business customers, and the patients they serve.

Related articles:

Omnibus HIPAA: BAs, breaches will get worse before better

Will providers deny patient requests to email medical records?

What scares health pros most about omnibus HIPAA

Q&A: On remaining ambiguities in the final HIPAA rule

Topics: 
Government & Policy

More regional news

A pharmacist reviewing a digital record

Blooms The Chemist integrates Healthengine and more briefs

By
Adam Ang
November 17, 2024
HIMSSCast logo

HIMSSCast: Caregiver input needed for allocation of investment dollars

By
Bill Siwicki
November 15, 2024
HHS Building

Trump picks RFK Jr. to lead HHS

By
Susan Morse
November 15, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Former Georgia Rep. Doug Collins
Trump taps former Rep. Doug Collins to head VA

Most Read

Clinical IT leaders on meeting CMS' mandate for patient data access
Epic and Oracle Health sign on to Veteran Interoperability Pledge
Texas AG settles with clinical genAI company
Interoperability in healthcare moving forward despite challenges
What Loper Bright and the end of Chevron deference mean for HHS
India to harness ABDM data to develop public AI

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Lee Kim at HIMSS_Global Health Equity Week 2024
AI can be leveraged to improve cybersecurity and health equity
Dr. Keisuke Nakagawa at UC Davis Health_Global Health Equity Week 2024
How artificial intelligence is changing the equation for SDOH integration
Andrea Hsu at National Science and Technology Council_HIMSS24 APAC
Fostering health IT innovation through academic-industrial collaborations
Valerie Rogers at HIMSS_Global Health Equity Week 2024
Technology and policy have a role to play in improving maternal health

More Stories

Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
HIT professional reviews information on a laptop outside a server room
ASPR seeks feedback on public health orgs' cybersecurity needs
Gabriel Jones of Proprio on AI
Artificial intelligence is enabling big advances in surgery
Pharmacist sorting pills
Deploy RFID technologies to streamline controlled substance management
Healthcare workers in a meeting
Prioritizing cost management at U.S. healthcare systems: Keys to better margins
Healthcare worker looking at medical record on tablet with patient in background
Protect your IoMT devices against evolving cyberattacks
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think
Richard Staynings at the University of Denver_Healthcare Cybersecurity Forum 2024
The challenges of safeguarding healthcare's 'data ocean'