Privacy has become a critical area of concern for a variety of organizations, as numerous industries must now comply...
with data protection regulations. This is especially true of the healthcare industry and protected health information (PHI). Compliance with health data privacy regulations has become critical to many businesses' survival because of the potential fines and consequences stemming from HIPAA violations. Now, there is a whole new group of organizations that must navigate the HIPAA compliance waters.
The HITECH Act has broadened the responsibilities described in Title II of HIPAA, known as the Administrative Simplification Provision, and added business associates to the list of those who are directly responsible for HIPAA compliance. According to the Department of Health and Human Services, a business associate "is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." Under HIPAA, covered entities are defined as any health plan, healthcare clearinghouse or healthcare provider that electronically transmits health information. To maintain HIPAA compliance, these covered entities must meet health data privacy standards adopted by the U.S. Department of Health and Human Services.
These HIPAA changes now make business associates vulnerable to the same monetary fines for noncompliance that are applied to covered entities. This means the Office of Civil Rights can now conduct audits and administer penalties to both business associates and covered entities, and can increase the size of the penalties for noncompliance based on the degree of negligence. In order to avoid this, these business associates -- even if not directly involved in healthcare -- must now ensure HIPAA compliance.
Verifying HIPAA compliance relies on the ability to conduct audits and proactively gather intelligence. These audits are a long-term, ongoing process that can be assisted by using online tools meant to help remain compliant with particular laws or regulations. For example, the Administrative Simplification Enforcement Tool (ASET) is a Web-based application created by the U.S. Center for Medicaid Services (CMS). The application enables individuals or organizations to file a HIPAA complaint against a healthcare provider, health plan or clearinghouse -- or any "covered entity" -- for potential non-compliance with HIPAA privacy and security provisions.
Business associates should also remember that compliance with healthcare regulations may also change the way their organization conducts operations. Data protection budgets may need to be increased to meet the demands of new compliance regulations. Of course, there are usually conflicts or divergent goals within organizations when the group that is responsible for spending more on security and compliance requests more money from the group responsible for reducing spending and controlling the budget.
Security and privacy assurance is made even more complicated by businesses increased demand for universal access to information, and to access that data quickly. There have been numerous international efforts to protect consumer data: HIPAA, the HITECH Act, the European Commission's Data Protection Directive and the European Commission's General Data Protection Regulation (GDPR) are all very strict data privacy compliance regulations that now require much more of an organization's budget in order to comply.
Avoiding legal complications by ensuring compliance with laws and regulations -- especially those concerning the collection, sharing and processing of personal data -- is crucial and requires thorough planning. However, sometimes compliance efforts are not immediately practical. In these cases, a safe harbor status can be obtained, which is a set of "good faith" conditions that, if met, can temporarily protect an organization from the non-compliance penalties. For example, the Texas Covered Entity Privacy and Security Certification Program is a voluntary certification program that incorporates state and federal privacy regulations to allow Texas-based covered entities to demonstrate health data protection compliance. The goal of the program is to help these covered entities "reduce regulatory penalties, manage risk and increase confidence" in their health information protection efforts.
Healthcare industry compliance requirements are forcing a profound adjustment to the way many organizations conduct business. The trend is only going to be compounded by the fact that healthcare is also one of the fastest growing industries in the world. As the reach of the healthcare industry continues to expand, the strict compliance regulations that come with working with health agencies pose a daunting challenge for organizations with limited resources. Vendors and any other organization that are considered to be HIPAA "business associates" -- or one whose daily practices include handling some form of healthcare information -- need to be aware of their own compliance and regulatory risks and obligations, or risk being fined for noncompliance.
About the author:
Daniel Allen is a Research Fellow at the Center for Climate and Security, where he focuses on the intersection of strategies for cybersecurity and climate change security risks. He is also President of N2 Cyber Security Consultants, LLC, and has worked as a research scientist for the Naval Health Research Center/ Medical Resource Planning, and is a U.S. Army/Desert Storm veteran and a high school science and climatology instructor. He holds a Master's Degree in Cyber Security and Information Assurance from National University, designated by the National Security Agency and the Department of Homeland Security as a "National Center of Academic Excellence in Information Assurance Education."
FAQs about how the HITECH Act impacts IT operations
Key questions to ask potential business associates
Compliance officers benefit from business associate audits
More tips for avoiding HIPAA violation fines