D'Arcy Gue

Omnibus HIPAA: Healthcare IT Vendors’ Secret Vulnerability

July 2, 2013

HIPAA & Security 3 Minute Read

When Phoenix set up its exhibit earlier this year at HIMSS13 in New Orleans, I had just published “The Essential Guide to Omnibus HIPAA,” an analysis of the far-reaching new federal Omnibus HIPAA Rule that was released in January, 2013. To get the conversation moving, we also set up a group on LinkedIn and called it The Omnibus HIPAA Forum.

It made sense to perform a survey about Omnibus HIPAA awareness during the conference. The new Rule must be implemented by September 23rd this year, so we assumed we would get plenty of response. And, because the new Rule now makes Business Associates of providers and payers financially liable for breaches,  and requires some major new security-related actions by them, we focused on vendors and other BA’s.vulnerability of business associates

We also chased down hospital CIOs, because providers are required to ensure that their BA’s understand their new responsibilities for HIPAA compliance, set  appropriate policies and procedures, perform risk assessments, and update business associate agreements with them that include their subcontractors.  Four Phoenix staffers spent two to three hours per day for three days approaching willing participants with a set of 10 questions.

Surprise! With few exceptions, none of the 100 or so HIT vendor representatives that we polled (whose companies are Business Associates of hospitals) had even heard of Omnibus HIPAA.  This sampling included senior staff as well as sales reps. It included major EHR vendors, niche IT vendors, consulting firms….you name it.

And, very few hospital representatives, including CIOs, knew about Omnibus HIPAA, either.

So much for our survey. How could we publish so many zeros? Perhaps, we thought, the survey was too early.

Four months later, my concern is that we’re not seeing upticks in awareness among Business Associates about their new HIPAA obligations. Anywhere. In the last two weeks, I’ve talked to several hospital applications vendors, and asked about it. New HIPAA rules are not on their radar. They have not heard of Omnibus HIPAA. It is clear to me, that there is a serious lack of understanding in regards to what the new Rule means for both providers and vendors.

Here are some basic questions to ask yourself if you are either of the above:

If you represent a provider, ask yourself:

  • Have you questioned your vendors/BAs about Omnibus HIPAA?
  • Are they taking required assessment and policy actions?
  • Are you updating your BA agreements with them?

If you represent a vendor, that has contracts with a provider, and touch protected health information (PHI), these are some of the questions you should be asking:

  • Has your company completed its newly required security assessment?
  • Have you appointed a security officer?
  • Have you established BA agreements with subcontractors who touch PHI?
  • Have you updated your BA agreements with your provider clients?

The questions above represent actions that healthcare providers and Business Associates are required to take under Omnibus HIPAA.

For risk calibration purposes: Penalties for one-time violations will cost up to $50k, and repeat violations within the same year can hold a fine of $1.5 million across all HIPAA violation categories. The average economic impact of a data breach has been $2.4 million since 2010 – in addition to costs due to federal fines, investigation, legal expenses, business downtime and decreased credibility.

These federal penalties should send a strong message to get on top of the new rules under Omnibus HIPAA.  Business Associates are no longer out of the line of fire when it comes to HIPAA compliance.

If you are a Business Associate or work with Business Associates, download our recently published Infographic, detailing the impact of Omnibus HIPAA on Business Associate’s.






Related Posts