March 18, 2013
The Department of Health and Human Services (HHS) has firmly put Business Associates between its crosshairs in the new HIPAA Rule. This is big money I’m talking about. And, major required changes in privacy and security practices for many IT solutions companies.
Health technology companies, including data centers, EHR and other software vendors, telehealth companies and even IT consultants now will be held just as financially liable if they violate HIPAA privacy and security provisions as the covered entities for whom they work (hospitals, payers, etc). This means, if they qualify as HIPAA “business associates” (meaning, if they “touch” protected health information — PHI) they will have to come up with from $100 to $50,000 per violation, and up to $1.5 million for multiple violations of the same provision. Business associates, like covered entities, also have to conduct a risk analysis, implement a security plan, and appoint a Security Officer — and take another hard look at their privacy protections.
All before September 23, this year.
BTW — after surveying IT companies / business associates at HIMSS13 last week, we found little evidence that Omnibus HIPAA was on even their radar. More on our Omnibus HIPAA QuikSurvey next week….
Historically, while business associates were required by HIPAA to protect personal health information and have Business Associate Agreements with covered entities, they were not held directly liable for penalties if they were non-compliant. Now they are. Further, In a giant step, the Omnibus HIPAA rule defines “business associates” far more broadly than in the past, and includes any entities that create, receive, maintain or transmit PHI on behalf of a covered entity.
This next bit is a little complicated, but bear with me for a paragraph. HHS has created a new business associate chain: subcontractors of business associates are now responsible for PHI protection and are defined as business associates if they create, receive, maintain or transmit PHI. Further, their subcontractors are pulled into the chain if they meet the same criteria. All have the same compliance obligations under HIPAA that business associates have. Just as covered entities are held responsible for breaches or violations of their business associates, so, now, “first level” or primary business associates are held responsible for the compliance of their subcontractors.
Fortunately for covered entities, they do not have to enter into a business associate agreement (BAA) with business associates’ subcontractors. But, BAAs are still required between covered entities and their business associates. These “primary” business associates also must develop BAAs with all their relevant subcontractors, and covered entities must require their business associates to do so.
The bottom-line, big message here: Technology companies that provide health-related solutions must do an immediate assessment, determine if they are business associates under HIPAA, and figure out which of their sub-contractors also “touch” PHI. Then they must act — and get their new HIPAA job done by September 23.
Part Four of our series explores the impact of Omnibus HIPAA on Privacy and Security.
In an effort to get a better understanding of how prepared covered entities and Business Associates are for the changes that Omnibus HIPAA imposes, we’re performing a short survey. We’d appreciate it if you took a few minutes to complete the survey. As a participant, you will be the first to receive our report on the results.