If you’re an IT vendor who services healthcare clients, you’re no doubt well-acquainted with HIPAA compliance rules. And chances are that lately you’ve been hearing rumblings about the new HIPAA Omnibus rule.
As a modification of HIPAA’s previous requirements, this new ruling impacts the HIPAA Privacy, Security, Breach Notification and Enforcement Rules – and that can mean significant change for many healthcare IT vendors, who will need to adapt their compliance practices, their vendor agreements, or both.
So just what does the Omnibus rule change? Responsibility for compliance, in a nutshell. Previously HIPAA compliance was primarily the responsibility of covered entities such as hospitals, clinics and insurers. Vendors or “business associates,” as referred to by HIPAA, who provided supporting services to these covered entities were only accountable for the terms dictated by their contracts (“business associate agreements”) with the covered entities.
The Omnibus rule has changed that; now vendors that oversee protected electronic information will shoulder more accountability for compliance than ever before, in that they are now directly accountable to the Office of Civil Rights. While organizations that transmit protected health data, such as ISPs, are still exempt under something called the "conduit exception," organizations that maintain and store such data are not.
Given how many organizations are moving to the cloud, this new standard presents a major game change for many vendors, who now find themselves as contractually liable for non-compliance as covered entities. From impermissible data uses and disclosures to failures to provide breach notifications, vendors can face a new set of ramifications for violations that used to be someone else’s headache.
On a practical level, the Omnibus rule will play out in several ways. Covered entities are now required to put business associate agreements in place with any vendors who have any access to PHI guaranteeing the vendors’ compliance with HIPAA requirements. Those vendors will need to obtain the same from their subcontractors. And that’s where it becomes concerning. Many vendors have clients who rarely or never ask them to sign such agreements. While that might seem like the covered entity’s responsibility, it’s now an oversight that no vendor can afford to ignore.
All of this means vendors must take the following three steps to protect themselves:
1. Clearly articulate your responsibilities for any and all sensitive data that passes through your hands. While the covered entity should understand basic compliance requirements for maintaining and storing data, they may not always understand every aspect of your technical environment. Make sure every possibility is covered in your contract so you’re not left holding the bag should the unexpected happen.