02-10-14 | Blog Post
Over the past couple of years, the HIPAA Omnibus Rule has been hovering its head over health care organizations, Software-as-a-service (SaaS) companies and anyone holding, processing, or transmitting Electronic Protected Health Information (ePHI) and Electronic Health Records (EHRs). With 2014 in full swing, organizations that consider themselves to be Business Associates (BAs) and Covered Entities (CEs) need to be looking at their policies and procedures, because the OCR may be knocking on your door this upcoming year.
So what did the final rule require of hosting providers and SaaS organizations? When the rule was issued in March 2013 & implemented in September 2013, the following changes were made:
Hosting providers and SaaS organization are now considered a Business Associate (BA) and must sign a Business Associate Agreement (BAA) with the organization they are to do business with in regards to HIPAA.
They must be able to demonstrate that they can meet the HIPAA administrative, physical and technical requirements to assure the confidentiality, integrity and availability of ePHI.
All subcontractors under BAs and CEs are now included under the final rule.
Most hosting providers and SaaS organizations have been under the impression that if the data is only housed and never accessed, that they are not liable against HIPAA regulations. Under the new rule, this is now not the case. Even if providers and organizations have an “opportunity” to access the data, they are now considered a BA under the final rule, making them liable. With these new policies in place, this also means new penalties to organizations.
With these new policies in place, this also means new penalties to organizations. If not followed, organizations are subject to criminal and civil penalties of up to $1.5 million/violation, putting the pressure on organizations to have the appropriate safeguards in place.
Do you have your data housed with a HIPAA Compliant Hosting Provider? Here are some questions to ask your provider to get an understanding of where you stand up against the final rule and OCR:
1.) Are they willing (or have we signed) a Business Associate Agreement (BAA)? Does your BAA meet the requirements of the HHS final ruling?
2.) Can you provide your HIPAA audit to me for my team to review?
3.) Is your HIPAA audit under OCR rules and regulations?
4.) Have you signed BAAs with all of your subcontractors?
5.) Have you been audited against HIPAA administrative, physical and technical requirements for security?
All of the answers to these questions should be “Yes”. If “No” was answered to any of the questions above, your data may potentially be at risk and subject to penalties by OCR and associated parties, creating a mess of issues for your organization.
When the OCR comes knocking on the door in 2014, don’t put your organization and its ePHI at risk. Know and understand the new policies and procedures in effect and put the appropriate measures place to ensure that your data is protected.
For more about health IT security, read our HIPAA Compliant Hosting white paper.
This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.
Attending HIMSS14? We will be exhibiting our Enterprise-Class HIPAA Compliant Hosting Solutions at HIMSS14 in Orlando from February 23-27th. Come see us at Booth #3904 to learn more about our solutions!
HIMSS 13: HHS Final Ruling Changes the Rules & Roles for HIPAA Hosting
How the Final Omnibus Rule Affects HIPAA Cloud Computing Providers
Interview: HIPAA Rules Effective Starting Today – Is Your HIPAA Hosting Provider Prepared?
Preparing HIPAA BAs, subcontractors for 2014 OCR audits