The final HIPAA omnibus rule released late last week holds business associates (BAs) and subcontractors (the BA of a business associate) directly liable for compliance with the HIPAA rules, and sets a deadline for compliance with the new modifications. There’s some cushion time though – the final rule isn’t officially effective until March 26, and even after the date, covered entities and business associates of all sizes will have 180 days to be in compliance. According to HealthDataManagement.com, covered entities will have one year from the compliance date to modify business associate agreements to match the new requirements.
This may not be enough time for BAs and subcontractors to achieve compliance with the modified rules, especially for those that were never initially in compliance. However, this works two-fold to 1) weed out quality HIPAA hosting providers that focus on the healthcare compliance market from the rest; 2) increase the ease of covered entities in securing patient data and maintaining patient privacy by limiting the hosting provider market.
Compliance is time-consuming and expensive, but the service providers that are willing and able to make that commitment will fare well in the healthcare market, especially since covered entities and BAs are now legally liable for the acts of their subcontractors and therefore monetarily motivated to have a vested interest in the security practices of their hosting providers.
The Medical Group Management Association (MGMA) issued their own comments on the modifications – they’ve voiced concerns over the short time frames alloted to get up to speed, as reported by HealthDataManagement.com:
We are strongly supportive of comprehensive privacy and security standards aimed at avoiding unauthorized use or disclosure of patient health information. However, it is critical that the safeguards mandated by the government be practical, flexible and affordable for the broad spectrum of medical practices.
We are concerned about the ability of practices to implement the changes associated with this final rule, including the requirement to modify and reissue notices of privacy practices and modify business associate agreements–within the short time frames allotted. We will continue to monitor our member practices to ensure that administrative burdens imposed by the government do not hinder the necessary flow of health information for patient treatment, payment and healthcare operations purposes.
Considering the definition of a BA has expanded to include patient safety organizations, health information organizations, e-prescribing gateways, providers of data transmission services for protected health information to a covered entity, etc., the rule comes as a serious wake-up call to providers that haven’t done their due diligence in the security arena. A compromise has to be made between the degree of federally ordered ‘administrative burdens’ and the need to tighten up patient data security.
So how do you start the arduous process of establishing a culture of security in your organization? Conducting a HIPAA risk analysis is the first step toward implementing the HIPAA Security Rule safeguards. The first mandatory component of the nine outlined by the HHS is the scope of the analysis; meaning any potential risks and vulnerabilities to the privacy, availability and integrity of ePHI. For a full list of the risk analysis components, read What’s in a HIPAA Risk Analysis?
Other best practices include:
As a BA for the healthcare industry, undergoing a HIPAA audit conducted by a third-party and using the new OCR HIPAA Audit Protocol criteria ensures you will be able to pass an audit conducted by the government. Read more about Online Tech’s 100% compliance and our technical, physical and administrative security we both use internally and provide as a service to our clients.
If you’re a covered entity/healthcare organization, you might need to reassess your vendors now that the final omnibus rule dictates that covered entities are held liable for the actions of their BAs/subcontractors. Read Five Questions to Ask Your HIPAA Hosting Provider that will help ensure you can meet the HHS’s deadline this spring.
HHS Releases Final Omnibus HIPAA Rule
MGMA Concerned About Compliance Period in HIPAA Rule
HHS: Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (PDF)
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.