Manage Learn to apply best practices and optimize your operations.

HIPAA compliance requirements not just for health care anymore

A new rule extends HIPAA compliance requirements to covered entities' business associates, forcing them to reexamine data security and privacy.

In January, the U.S. Department of Health and Human Services (HHS) issued a final omnibus rule outlining changes to HIPAA compliance requirements. The sweeping new rule addresses privacy, security, breach notification and enforcement.

This update has been widely discussed in the health care industry press, specifically how it changes what is considered a covered entity. If you are a health care compliance professional, chances are you've been tracking this rule change pretty closely. But compliance professionals that are not in health care need to pay attention as well, because many organizations outside of the direct patient-provider-payer relationship have new obligations under this rule by virtue of their business relationships.

Organizations not directly involved in the typical health care setting might be asking why and how these changes influence operations. The answer: The new rule expands Health Insurance Portability and Accountability Act compliance (including liability and enforcement considerations) to business associates of the typical covered entities directly involved in patient care.

While it might not seem so on the surface, this is a pretty big deal, because many firms could be considered "business associates" under the new HIPAA compliance rule. These associates include technology services providers such as hosting companies, software vendors, IT support companies, consulting outfits, data processing companies and cloud service providers. The trouble is, many business associates don't realize they're now considered one and therefore must follow the new HIPAA rules.

There are two reasons for this:

  1. In the past, covered entities tended to err on the side of caution in determining which external service provider relationships were business associates (and hence cast a wide net regarding who was classified as such); and
  2. Many service providers entered into business associate agreements with potential customers in order to close deals.
The new rule expands HIPAA compliance to business associates of the typical covered entities directly involved in patient care.

This means that many firms may have signed business associate agreements but didn't really change their practices much as a result -- and maybe forgot about it altogether. Under the new rule, those firms now must fulfill HIPAA security and privacy obligations that they didn't have before, and might not be prepared to take them on -- or even be aware they need to. Since the rule requires that business associates comply with all the requirements by Sept. 23, 2013, it is definitely a pressing matter.

What to do to maintain HIPAA compliance

Many firms will need to take some action to make sure they stay on the right side of the law. To do so, they'll need to first figure out whether they are considered a business associate. If they are, they'll need to implement a HIPAA compliance program to address the regulation. This can be both challenging and time consuming, particularly from a security and breach notification requirement standpoint.

To determine whether they are considered a business associate, organizations should do some evaluation on their own rather than waiting for updated business associate agreements. It might take a while for covered entities to update and reissue their agreements in light of the new requirements.

Customers or business partners that are covered entities may -- eventually -- make the business associate's HIPAA obligations quite clear through these agreements. Waiting for that to happen, however, probably doesn't allow sufficient time to update compliance programs and deploy any additional necessary controls. Instead, organizations may want to do some initial investigation on their own by reviewing current customer agreements. It also helps to conduct an examination of the definition of a business associate, per 45 CFR 160.103.

If you determine that you are a business associate and have to follow HIPAA compliance rules, that's when the real work starts. You'll want to update your compliance program to account for the specific HIPAA compliance requirements. This can be a significant effort, so I won't go through all the steps involved other than to point out that there is a wealth of information on how to accomplish this on, and -- as well as introductory materials made available through HHS itself.

More on HIPAA compliance strategy

Using encryption, data protection to remain HIPAA compliant

Utilize policy, tech to help maintain HIPAA compliance

Ensuring personal cloud storage meets HIPAA compliance requirements  

The important part is to know the HIPAA rule change is coming, so organizations can do the work required and get their ducks in a row ahead of time. Don't forget, HHS has already begun an audit program to validate organizations' HIPAA compliance status. With the new rule in place, that audit and enforcement process could very likely extend to covered entities' business associates. In fact, the Office of Civil Rights has as much as said that it's going to audit these organizations (see, for example, slide 9 of the 2012 HIPAA Privacy and Security Audits presentation).

The point is, start the process now to determine if your organization must unexpectedly comply with HIPAA rules -- instead of scrambling to change processes before the September deadline.

Ed Moyle is director of emerging business and technology for ISACA. Moyle previously worked as senior security strategist at Savvis, senior manager at CTG, and prior to that served as a vice president and information security officer at Merrill Lynch Investment Managers.

Let us know what you think about the story; email Ben Cole, associate editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on HIPAA and other healthcare compliance requirements

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is your organization now considered a "business associate" that must adhere to HIPAA?
Yes, my company is considered a business associated because we have clients who are health care providers, and we handle their protected patient data. This isn't something new for us, but I do think that the organization was pretty lax about compliance in the past.

This year, there is much more focus on HIPAA, HITECH and data security in general. The driving force is actually that the company would like to go public and therefore will possibly be facing a lot more scrutiny than it has in the past.
In this information age where so many pieces of information can be coalesced to compromise a persons identity.  I really think it isn't just HIPPA, but lots of other information that companies who build, maintain, and store data from any number of applications.  

I think companies need to think beyond this idea of business associate and start thinking of data security in much stronger terms.