New HIPAA rule could change BAA talks

Contract negotiations might 'get very tense,' says one privacy officer
By Mike Miliard
11:19 AM
New HIPAA rule could change BAA talks

With an onus now on vendors to keep hosted data secure, that can make business associate agreements trickier than ever to negotiate as hospitals try to protect patient information and IT companies try to shield themselves from risk. Four providers offer tips from the trenches on getting the language right.

One of the biggest roadblocks to wider adoption of technologies such as cloud hosting is the fact that CIOs and chief privacy officers look askance at its security protections. They often just don't trust outsourced hosting to keep personal health information safe.

But with the HIPAA Omnibus Rule's new regulations with regard to the responsibilities of business associates – leaving them on the hook legally in the event of a data breach – it could be that providers may be more emboldened to embrace the cloud and enjoy the benefits it has to offer.

"For a long time, the cloud was untrusted on multiple levels -- people weren’t familiar with it, they were afraid of the security aspect and, simply stated, it just wasn’t the safe career choice -- in other words, nobody got fired for not choosing the cloud in the past," John Haughton, MD, chief medical information officer of cloud hosting company Covisint, told Healthcare IT News in September.

"That’s all changing dramatically," he said. One big factor has been a shifting in burdens brought about by the new HIPAA rule.

As Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, told Healthcare IT News, just as the enforcement of the HIPAA Omnibus rule went into effect, "We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations."

Among the new changes, business associates are now responsible for their subcontractors, and the must comply with security and breach notification rules. Healthcare providers are liable for the actions of BAs who are agents, but not for those that are independent contractors.

That's good news, from a technology standpoint, said Haughton. "In order for the cloud to gain the trust of providers and payers, cloud vendors needed to take on greater responsibility to protect patient privacy."

At recent Healthcare IT News/HIMSS Media events in New York and Boston, privacy officers and CIOs agreed that the shift of responsibilities on business associates could indeed be a game changer. But they also cautioned that negotiating business associate agreements could get tricky and potentially contentious in light of the new HIPAA rules.

In New York, Torie Jones, then chief privacy officer for University of Pennsylvania Health System – her coworkers called her "The HIPAA Lady," she said – emphasized that "the cloud is not going away; I think it's very appealing to healthcare organizations."

Clearly, this is a "new reality," she said, and "we need to figure out the best way to do it within the confines we've been given from a regulatory standpoint."