In January, the U.S. Department of Health and Human Services (HHS) issued a final omnibus rule outlining changes to HIPAA compliance requirements. The sweeping new rule addresses privacy, security, breach notification and enforcement.
This update has been widely discussed in the health care industry press, specifically how it changes what is considered a covered entity. If you are a health care compliance professional, chances are you've been tracking this rule change pretty closely. But compliance professionals that are not in health care need to pay attention as well, because many organizations outside of the direct patient-provider-payer relationship have new obligations under this rule by virtue of their business relationships.
Organizations not directly involved in the typical health care setting might be asking why and how these changes influence operations. The answer: The new rule expands Health Insurance Portability and Accountability Act compliance (including liability and enforcement considerations) to business associates of the typical covered entities directly involved in patient care.
While it might not seem so on the surface, this is a pretty big deal, because many firms could be considered "business associates" under the new HIPAA compliance rule. These associates include technology services providers such as hosting companies, software vendors, IT support companies, consulting outfits, data processing companies and cloud service providers. The trouble is, many business associates don't realize they're now considered one and therefore must follow the new HIPAA rules.
There are two reasons for this:
- In the past, covered entities tended to err on the side of caution in determining which external service provider relationships were business associates (and hence cast a wide net regarding who was classified as such); and
- Many service providers entered into business associate agreements with potential customers in order to close deals.
This means that many firms may have signed business associate agreements but didn't really change their practices much as a result -- and maybe forgot about it altogether. Under the new rule, those firms now must fulfill HIPAA security and privacy obligations that they didn't have before, and might not be prepared to take them on -- or even be aware they need to. Since the rule requires that business associates comply with all the requirements by Sept. 23, 2013, it is definitely a pressing matter.
What to do to maintain HIPAA compliance
Many firms will need to take some action to make sure they stay on the right side of the law. To do so, they'll need to first figure out whether they are considered a business associate. If they are, they'll need to implement a HIPAA compliance program to address the regulation. This can be both challenging and time consuming, particularly from a security and breach notification requirement standpoint.
To determine whether they are considered a business associate, organizations should do some evaluation on their own rather than waiting for updated business associate agreements. It might take a while for covered entities to update and reissue their agreements in light of the new requirements.
Customers or business partners that are covered entities may -- eventually -- make the business associate's HIPAA obligations quite clear through these agreements. Waiting for that to happen, however, probably doesn't allow sufficient time to update compliance programs and deploy any additional necessary controls. Instead, organizations may want to do some initial investigation on their own by reviewing current customer agreements. It also helps to conduct an examination of the definition of a business associate, per 45 CFR 160.103.
If you determine that you are a business associate and have to follow HIPAA compliance rules, that's when the real work starts. You'll want to update your compliance program to account for the specific HIPAA compliance requirements. This can be a significant effort, so I won't go through all the steps involved other than to point out that there is a wealth of information on how to accomplish this on SearchHealthIT.com, SearchSecurity.com and SearchCompliance.com -- as well as introductory materials made available through HHS itself.
The important part is to know the HIPAA rule change is coming, so organizations can do the work required and get their ducks in a row ahead of time. Don't forget, HHS has already begun an audit program to validate organizations' HIPAA compliance status. With the new rule in place, that audit and enforcement process could very likely extend to covered entities' business associates. In fact, the Office of Civil Rights has as much as said that it's going to audit these organizations (see, for example, slide 9 of the 2012 HIPAA Privacy and Security Audits presentation).
The point is, start the process now to determine if your organization must unexpectedly comply with HIPAA rules -- instead of scrambling to change processes before the September deadline.
Ed Moyle is director of emerging business and technology for ISACA. Moyle previously worked as senior security strategist at Savvis, senior manager at CTG, and prior to that served as a vice president and information security officer at Merrill Lynch Investment Managers.