4 steps for business associates to comply with omnibus HIPAA

By Rick Kam
06:51 AM

When the HIPAA Final Rule on Privacy and Security kicks in on September 23, the privacy game changes for HIPAA covered entities (CEs). But for their business associates (BAs), the stakes rise by a quantum leap.

For CEs, the effects of the Final Rule are mostly incremental because the compliance structure remains unchanged; the biggest change is a revised threshold (aka the compromise standard) for breach risk assessment and notification decision, but basic privacy and security requirements are the same.

For business associates, however, the Final Rule deadline raises the risks of non-compliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities, making them subject to HHS regulatory fines and corrective action plans, as well as civil monetary penalties.

Guilt by association
Some of the organizations newly affected by the Final Rule may not even know that they are business associates. According to the new definition, any entity that “creates, receives, or transmits” protected health information (PHI) on behalf of a HIPAA covered entity is now considered a business associate and directly liable for non-compliance.

This definition also encompasses subcontractors that manage PHI and other specific categories of organizations, including:

  • Health information organizations (HIOs)
  • E-prescribing gateways
  • Patient safety organizations
  • Vendors that provide services, involving PHI, on behalf of a covered entity
  • Data storage vendors that maintain PHI even if their access to PHI is limited or nonexistent

This means that even vendors providing generic outsourced IT services are now liable for HIPAA compliance. At this point, every organization that does business with HIPAA covered entities should be coming up to speed quickly on the Final Rule and the impending risks, and implementing a compliance plan.

Surviving double jeopardy
The Department of Health and Human Services Office for Civil Rights (OCR) will now include business associates in its HIPAA compliance audits, and business associates stand to lose in multiple ways if they are found to be non-compliant or in the event of a PHI breach. The direct financial risk is considerable: BAs face the same penalties as CEs — potential fines ranging from $100 to $50,000 per violation depending on the root cause of the violation and corrective action timeline (with a cap of $1.5 million on violations of identical provisions happening within the same calendar year).

The indirect risk may be greater still: a PHI breach due to negligence or willful neglect or mishandling of a breach situation could risk business relationships with the affected CEs, and reputational damage could affect multiple CE relationships on which the businesses depend.

[NHITweek: Mostashari says ONC will keep punching above its weight post-HITECH.]

Covered entities have had years to understand and meet regulatory requirements to protect PHI. With the Final Rule deadline looming, business associates don’t have the luxury of time. They need to immediately assess their relationships with healthcare-related organizations and take key steps to ensure compliance:

1. Determine which business relationships entail HIPAA compliance obligations: Remember that just because these obligations are not called out in a contract doesn’t mean that your organization isn’t considered a business associate under HIPAA. HHS is the ultimate judge and the jury in this regard.

2. Conduct a HIPAA compliance assessment: The assessment will evaluate regulatory obligations, current level of compliance, and gaps with respect to HIPAA-HITECH Privacy, Security, and Breach Notification Rules, as well as state laws. A compliance assessment will provide an actionable evaluation of compliance gaps, a priority ranking of PHI security risks, and recommendations for mitigating those risks. Best practice suggests a HIPAA compliance assessment should be conducted annually to monitor changes and progress against the initial baseline assessment.

3. Develop an Incident Response Plan (IRP): A ready-to-execute Incident Response Plan demonstrates the organization’s breach readiness in case of an actual incident or OCR audit, and enables staff to mitigate the risks of a potential data breach. A well-designed Incident Response Plan will:

  • Identify the roles and responsibilities of the Incident Response Team
  • Guide the team’s incident risk assessment and decision whether the PHI related incident is a data breach
  • Define the organization’s policy for managing a data breach
  • Explain the relevant regulations for responding to a data breach, including notification requirements
  • Guide the team through all phases of managing a data breach — discovery, investigation, and response

4. Implement an incident risk assessment methodology and tools: Evaluate and procure decision support software to help the organization comply with HIPAA/HITECH’s revised and complex PHI compromise standard and state data breach regulations. Every privacy and security incident is unique and requires consistent incident risk assessment that incorporates the minimum of four factors outlined in the Final Rule. The risk assessment outcome must be documented and used to determine if notification is required. A compliant risk assessment and decision support tool can help the incident response team execute a timely and effective breach response that protects patients and business partners and ensures regulatory compliance.

Be prepared
For covered entities, the Final Rule extends the burden of oversight: CEs must manage more aspects of security with, potentially, a wider group of business partners. Business associates can expect their CE customers to be reviewing contracts, looking hard at their privacy and security policies and practices, and asking for proof of up-to-date risk analysis and mitigation strategies, IRPs, and incident management programs. BAs should also be sure their business processes are up-to-date on new rules regarding patient control on disclosure of PHI and delivery of electronic medical records on patient request.

The wider definition of business associates is putting a burden on many businesses to do a great deal of security work in a short time. The upside is that the effort is likely to strengthen communication and collaboration with business partners, it will protect the business for the long term, and interaction with CEs may even lead to new business opportunities for custom system integration or new service level agreements.

In any case, greater safety is a win-win for the organization, its business customers, and the patients they serve.

Related articles:

Omnibus HIPAA: BAs, breaches will get worse before better

Will providers deny patient requests to email medical records?

What scares health pros most about omnibus HIPAA

Q&A: On remaining ambiguities in the final HIPAA rule