Covered Entity Is the Only One with “Egg on their Face”

Written by:

When I first started writing this blog about six years ago, I named it EMR and HIPAA. I was working to implement an EMR at that time (this was well before EHR became in vogue) and I knew that HIPAA was a major talking point in healthcare.

Over time I’ve learned that doctors care enough about HIPAA to make sure that they don’t hear about it again. Up until now, that’s worked pretty well for most doctors. There haven’t been many HIPAA lawsuits and the government has mostly only investigated reported incidents.

We started to see a shift in this with the passing of the HITECH act which many described as giving “teeth” to HIPAA. I think we’re just now starting to see some of those teeth coming to bear with things like the OCR audits that 150 HIPAA covered entities will experience this year. That’s still a pretty small number, but the experience of those 150 is teaching us and the government a lot about areas where healthcare institutions have done a good job with privacy and security and where they likely are weak.

While at HIMSS I had the pleasure to have a brief conversation with CynergisTek CEO and chair of the HIMSS Privacy and Security Policy Task Force, Mac McMillan. I love talking with people like Mac since he is an absolute domain expert in the areas of privacy and security in healthcare. You just start him talking and from memory he’s pouring out his knowledge about these important and often overlooked topics. I loved what he had to say so much that I asked him if he’d do a series of blog posts on the OCR audits which I could publish on EMR and HIPAA. He said he was interested and so I hope we’re able to make it happen.

One simple thing that Mac McMillan taught me in our admittedly brief conversation was the changing role of the business associate in healthcare. In the past, most covered entities kind of hid behind their business associates. Many did little to verify or keep track of the policies and procedures employed by their business associates. With the new HITECH rules for disclosure of breaches and the OCR audits, covered entities are going to have to keep a much better eye on their business associates.

Mac then pointed out to me that the reason covered entities have to take on more responsibility is that they’re the ones that are going to be held responsible and take the blunt of the problem if their business associate has a privacy or security issue. I see it as the Covered Entity will be the one with Egg on their Face.

I don’t think we have to take this to an extreme. However, there’s little doubt that covered entities could do a much better job evaluating the privacy and security of their business associates and hold them to a much higher standard. If they aren’t, I wouldn’t want to be there for the OCR audit with them.