If you’re an IT vendor who services healthcare clients, you’re no doubt well-acquainted with HIPAA compliance rules. And chances are that lately you’ve been hearing rumblings about the new HIPAA Omnibus rule.
As a modification of HIPAA’s previous requirements, this new ruling impacts the HIPAA Privacy, Security, Breach Notification and Enforcement Rules – and that can mean significant change for many healthcare IT vendors, who will need to adapt their compliance practices, their vendor agreements, or both.
So just what does the Omnibus rule change? Responsibility for compliance, in a nutshell. Previously HIPAA compliance was primarily the responsibility of covered entities such as hospitals, clinics and insurers. Vendors or “business associates,” as referred to by HIPAA, who provided supporting services to these covered entities were only accountable for the terms dictated by their contracts (“business associate agreements”) with the covered entities.
The Omnibus rule has changed that; now vendors that oversee protected electronic information will shoulder more accountability for compliance than ever before, in that they are now directly accountable to the Office of Civil Rights. While organizations that transmit protected health data, such as ISPs, are still exempt under something called the "conduit exception," organizations that maintain and store such data are not.
Given how many organizations are moving to the cloud, this new standard presents a major game change for many vendors, who now find themselves as contractually liable for non-compliance as covered entities. From impermissible data uses and disclosures to failures to provide breach notifications, vendors can face a new set of ramifications for violations that used to be someone else’s headache.
On a practical level, the Omnibus rule will play out in several ways. Covered entities are now required to put business associate agreements in place with any vendors who have any access to PHI guaranteeing the vendors’ compliance with HIPAA requirements. Those vendors will need to obtain the same from their subcontractors. And that’s where it becomes concerning. Many vendors have clients who rarely or never ask them to sign such agreements. While that might seem like the covered entity’s responsibility, it’s now an oversight that no vendor can afford to ignore.
All of this means vendors must take the following three steps to protect themselves:
1. Clearly articulate your responsibilities for any and all sensitive data that passes through your hands. While the covered entity should understand basic compliance requirements for maintaining and storing data, they may not always understand every aspect of your technical environment. Make sure every possibility is covered in your contract so you’re not left holding the bag should the unexpected happen.
2. Make sure that your vendor agreements are very clear. You will need to spell out exact responsibilities with all of your subcontractors and make sure again that all processes are covered. Continue to monitor and enforce these agreements. The more degrees removed from the initial entity a subcontractor is, the more critical it is to make sure all compliance requirements are met.
3. Ensure that your systems have sufficient reporting capabilities in case of an audit. The Secretary of Health and Human services currently has authority over HIPAA and HITECH, with the layers of accountability managed by the Office of Civil Rights. If the Office chooses to audit you, you will need to be prepared with reporting capabilities that can demonstrate your compliance.
The Omnibus rule became effective on March 26, 2013; impacted vendors have six months from that date to become compliant with the new standards. Vendors can also continue to operate under existing agreements – as long as they are HITECH compliant – until March 26, 2014. But it’s clear that this new ruling will force many vendors to transform both their agreements and their compliance practices. Smart vendors will begin adapting now.