Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Cloud Bursts: New Guidance Proves Cloud Services Are Business Associates

Posted on October 10, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.
hipaa-cloud
It’s over. New guidance from the federal Office for Civil Rights (OCR) confirms that cloud services that store patient information must comply with HIPAA.

Many cloud services and data centers have denied their obligations by claiming they are not HIPAA Business Associates because:

  1. They have no access to their customer’s electronic Protected Health Information (ePHI),
  2. Their customer’s ePHI is encrypted and they don’t have the encryption key,
  3. They never look at their customer’s ePHI,
  4. Their customers manage the access to their own ePHI in the cloud,
  5. Their terms and conditions prohibit the storage of ePHI, and
  6. They only store ePHI ‘temporarily’ and therefore must be exempt as a ‘conduit.’

Each of these excuses has been debunked in HIPAA Cloud Guidance released on October 7, 2016, by the Office for Civil Rights.

The new guidance clearly explains that any cloud vendor that stores ePHI must:

  1. Sign a HIPAA Business Associate Agreement,
  2. Conduct a HIPAA Security Risk Analysis,
  3. Comply with the HIPAA Privacy Rule,
  4. Implement HIPAA Security Rule safeguards the ePHI to ensure its confidentiality, integrity, and availability.
  5. Comply with the HIPAA Breach Reporting Rule by reporting any breaches of ePHI to its customers, and be directly liable for breaches it has caused.

The OCR provides examples of cloud services where clients manage access to their stored data. It discusses how a client can manage its users’ access to the stored data, while the cloud service manages the security of the technical infrastructure. Each needs to have a risk analysis that relates to its share of the responsibilities.
access-denied-phi
OCR also recently published guidance that cloud services cannot block or terminate a client’s access to ePHI, for example, if they are in a dispute with their customer or the customer hasn’t paid its bill.

As we have been saying for years, the 2013 HIPAA Omnibus Final Rule expanded the definition of HIPAA Business Associates to include anyone outside a HIPAA Covered Entity’s workforce that “creates, receives, maintains, or transmits PHI” on behalf of the Covered Entity. It defines subcontractors as anyone outside of a Business Associate’s workforce that “creates, receives, maintains, or transmits PHI on behalf of another Business Associate.”

‘Maintains’ means storing ePHI, and does not distinguish whether the ePHI is encrypted, whether the Business Associate looks at the ePHI, or even if its staff has physical access to the devices housing the ePHI (like servers stored in locked cabinets in a data center.)
hipaa-fines-payment
A small medical clinic was fined $100,000 for using a free cloud mail service to communicate ePHI, and for using a free online calendar to schedule patient visits. Recently the OCR issued a $2.7 million penalty against Oregon Health & Science University (OHSU) partly for storing ePHI with a cloud service in the absence of a Business Associate Agreement.

“OHSU should have addressed the lack of a Business Associate Agreement before allowing a vendor to store ePHI,” said OCR Director Jocelyn Samuels.  “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

So what does this mean to you?

If you are Covered Entity or a Business Associate…

  • A common myth is that all ePHI is in a structured system like an Electronic Health Record system. This is wrong because ePHI includes anything that identifies a patient, nursing home resident, or health plan member that is identifiable (many more identifiers than just a name) and relates to the treatment, diagnosis, or payment for health care.

    EPHI can be in many forms. It does not have to be in a formal system like an Electronic Health Record (EHR) system, but can be contained in an e-mail, document, spreadsheet, scanned or faxed image, medical images, photographs, and even voice files, like a patient leaving a message in your computerized phone system requesting a prescription refill. During our risk analyses we find ePHI everywhere- on servers, local devices, portable media, mobile devices, and on cloud services. Our clients are usually shocked when we show them where their ePHI is hiding.

  • Never store ePHI in any cloud service without first knowing that the service is compliant with HIPAA and will sign a HIPAA Business Associate Agreement.

    This automatically disqualifies:

    • The free texting that came with your cellular phone service;
    • Free e-mail services like Gmail, Yahoo!, Hotmail, etc.;
    • Free e-mail from your Internet service provider like Cox, Comcast, Time Warner, Charter, CenturyLink, Verizon, Frontier, etc.;
    • Free file sharing services from DropBox, Box.com, Google Drive, etc.
    • Consumer-grade online backup services.

hacked-healthcare

  • Another common myth is that if data is stored in the cloud that you don’t have to secure your local devices. This is wrong because if someone can compromise a local device they can gain access to your data in the cloud. Be sure the mobile devices and local devices you use to access the cloud are properly protected, including those on your office network, and at users’ homes. This means that all mobile devices like phones and tablets; PCs; and laptops should be secured to prevent unauthorized access. All devices should be constantly updated with security patches, and anti-virus/anti-malware software should be installed and current. If ePHI is stored on a local network, it must be a domain with logging turned on, and logs retained for six years.
  • Use an e-mail service that complies with HIPAA. Microsoft Office 365 and similar business-class services advertise that they provide secure communications and will sign a HIPAA Business Associate Agreement.
  • You may be using a vendor to remotely filter your e-mail before it arrives in your e‑mail system. These services often retain a copy of each message so it can be accessed in the event your mail server goes down. Make sure your spam filtering service secures your messages and will sign a HIPAA Business Associate Agreement.

mobile-device-security-in-healthcare

  • Never send or text ePHI, even encrypted, to a caregiver or business associate at one of the free e-mail services.
  • Never use the free texting that came with your cell service to communicate with patients and other caregivers.
  • If you have sent text messages, e-mails, or stored documents containing ePHI using an unapproved service, delete those messages now, and talk with your compliance officer.
  • Review your HIPAA compliance program, to ensure it really meets all of HIPAA’s requirements under the Privacy, Security, and Data Breach Reporting rules. There are 176 auditable HIPAA items. You may also need to comply with other federal and state laws, plus contractual and insurance requirements.

If you are a cloud service, data center, or IT Managed Service Provider …

  • If you have been denying that you are a HIPAA Business Associate, read the new guidance document and re-evaluate your decisions.
  • If you do sign HIPAA Business Associate Agreements, you need to review your internal HIPAA compliance program to ensure that it meets all of the additional requirements in the HIPAA Privacy, Security, and Data Breach Reporting rules.
  • Also become familiar with state regulations that protect personally identifiable information, including driver’s license numbers, Social Security numbers, credit card and banking information. Know which states include protection of medical information, which will require breach reporting to the state attorney general in addition to the federal government. Know what states have more stringent reporting timeframes than HIPAA. You may have to deal with a large number of states with varying laws, depending on the data you house for customers.

hipaa-terms-and-conditions

  • Make sure your Service Level Agreements and Terms & Conditions are not in conflict with the new guidance about blocking access to ePHI. Compare your policies for non-payment with the new guidance prohibiting locking out access to ePHI.
  • Make sure your Service Level Agreements and Terms & Conditions include how you will handle a breach caused by your clients when they are using your service. Everyone should know what will happen, and who pays, if you get dragged into a client’s data breach investigation.
  • Make sure all of your subcontractors, and their subcontractors, comply with HIPAA. This includes the data centers you use to house and/or manage your infrastructure, programmers, help desk services, and backup vendors.
  • Learn about HIPAA. We see many cloud vendors that promote their HIPAA compliance but can seldom answer even the most basic questions about the compliance requirements. Some believe they are compliant because they sign Business Associate Agreements. That is just the first step in a complex process to properly secure data and comply with the multiple regulations that affect you. We have helped many cloud services build compliance programs that protected them against significant financial risks.
  • If you have administrative access to your client’s networks that contain ePHI, you are a Business Associate. Even if your clients have not signed, or refused to sign, Business Associate Agreements, you are still a Business Associate and must follow all of the HIPAA rules.
  • If you are reselling hosting services, co-location services, cloud storage, file sharing, online backup, Office 365/hosted Exchange, e-mail encryption, or spam filtering, you need to make sure your vendors are all compliant with HIPAA and that they will sign a Business Associate Agreement with you.
  • Look at all the services your regulated clients need. Include in your project and managed service proposals clear links between your clients’ needs and your services. For example, when installing replacement equipment, describe in detail the steps you will take to properly wipe and dispose of devices being replaced that have stored any ePHI. Link your managed services to your client’s needs and include reports that directly tie to your clients’ HIPAA requirements.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

NFL Players’ Medical Records Stolen

Posted on June 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’d been meaning to write about this story for a while now, but finally got around to it. In case you missed it, Thousands of NFL players’ medical records were stolen. Here’s a piece of the DeadSpin summary of the incident:

In late April, the NFL recently informed its players, a Skins athletic trainer’s car was broken into. The thief took a backpack, and inside that backpack was a cache of electronic and paper medical records for thousands of players, including NFL Combine attendees from the last 13 years. That would encompass the vast majority of NFL players

The Redskins later issues this statement:

The Washington Redskins can confirm that a theft occurred mid-morning on April 15 in downtown Indianapolis, where a thief broke through the window of an athletic trainer’s locked car. No social security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure.

The laptop was password-protected but unencrypted, but we have no reason to believe the laptop password was compromised. The NFL’s electronic medical records system was not impacted.

It’s interesting that the Redskins said that it didn’t include any PHI that would be covered by HIPAA rules and regulations. I was interested in how HIPAA would apply to an NFL team, so I reached out to David Harlow for the answer. David Harlow, Health Blawg writer, offered these insights into whether NFL records are required to comply with HIPAA or not:

These records fall in a gray zone between employment records and health records. Clearly the NFL understands what’s at stake if, as reported, they’ve proactively reached out to the HIPAA police. At least one federal court is on record in a similar case saying, essentially, C’mon, you know you’re a covered entity; get with the program.

Michael Magrath, current Chairman, HIMSS Identity Management Task Force, and Director of Healthcare Business, VASCO Data Security offered this insight into the breach:

This is a clear example that healthcare breaches are not isolated to healthcare organizations. They apply to employers, including the National Football League. Teams secure and protect their playbooks and need to apply that philosophy to securing their players’ medical information.

Laptop thefts are common place and one of the most common entries (310 incidents) on the HHS’ Office of Civil Rights portal listing Breaches Affecting 500 or More Individuals. Encryption is one of the basic requirements to secure a laptop, yet organizations continue to gamble without it and innocent victims can face a lifetime of identity theft and medical identity theft.

Assuming the laptop was Windows based, security can be enhanced by replacing the static Windows password with two-factor authentication in the form of a one-time password. Without the authenticator to generate the one-time password, gaining entry to the laptop will be extremely difficult. By combining encryption and strong authentication to gain entry into the laptop the players and prospects protected health information would not be at risk, all because organizations and members wish to avoid few moments of inconvenience.

This story brings up some important points. First, healthcare is far from the only industry that has issues with breaches and things like stolen or lost laptops. Second, healthcare isn’t the only one that sees the importance of encrypting mobile devices. However, despite the importance, many organizations still aren’t doing so. Third, HIPAA is an interesting law since it only covers PHI and covered entities. HIPAA omnibus expanded that to business associates. However, there are still a bunch of grey areas that aren’t sure if HIPAA applies. Plus, there are a lot of white areas where your health information is stored and HIPAA doesn’t apply.

Long story short, be smart and encrypt your health data no matter where it’s stored. Be careful where you share your health data. Anyone could be breached and HIPAA will only protect you so much (covered entity or not).

The HIPAA Final Rule and Staying Compliant in the Cloud

Posted on September 3, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Gilad Parann-Nissany, Founder and CEO of Porticor.

The HIPAA Omnibus Final Rule went into effect on March 26, 2013.  In order to stay compliant, the date for fulfilling the new rules is September 23, 2013, except for companies operating under existing “business associate agreements (BAA),” who may be allowed an extension until September 23, 2014.

As healthcare and patient data move to the cloud, HIPAA compliance issues follow.  With many vendors, consultants, internal and external IT departments at work, the question of who is responsible for compliance comes up quite often.  Not all organizations are equipped or experienced to meet the HIPAA compliance rules by themselves.  Due to the nature of the data and the privacy rules of patients, it is important to secure the data correctly the first time.

HIPAA and the Cloud
Do you have to build your own cloud HIPAA compliance solutions from scratch?  The short answer is no.  There are solutions and consulting companies available to help move patient data to the cloud as well as secure it following HIPAA compliance rules and best practices.

The following checklist provides a guide to help plan for meeting the new HIPAA compliance rules.

A Cloud HIPAA Compliance Checklist

1. Ensure “Business Associates” are HIPAA compliant

–          Data Centers and cloud providers that serve the healthcare industry are in the category of “business associates.”

–          Business Associates can also be any entity that “…creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.”  This means document storage companies and cloud providers now officially have to follow HIPAA rules as well.

–          Subcontractors are also considered business associates if they are creating, receiving, transmitting, or maintaining Protected Health Information (PHI) on behalf of a business associate agreement.

–          As a business associate they must meet the compliance rules for all privacy and security requirements.

What can you do?

Ensure business associates and subcontractors sign a business associate agreement and follow the HIPAA compliance rules for themselves and any of their subcontractors. A sample Business Associate Agreement is available on the HHS.gov website.

What happens if you are in violation?

The Office of Civil Rights (OCR) investigates HIPAA violations and can charge $100 – 50,000 per violation.  That gets capped at $1.5 million for multiple violations.  The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.

2. Data Backup

– Health care providers, business associates, and subcontractors must have a backup contingency plan.

– Requirements state that it has to include a:

Backup plan for data, disaster recovery plan, and an emergency mode operations plan

– The backup vendor needs to encrypt backup images during transit to their off-site data centers so that data cannot be read without an encryption key

– The end user/partner is required to encrypt the source data to meet HIPAA compliance

What can you do?

If you handle the data backup internally, set a plan to meet HIPAA compliance and execute it.
If you have external backup solution providers, ensure they have a working plan in place.

3. Security Rules

–          Physical safeguards need to be implemented to secure the facility, like access controls for the facility

–          Develop procedures to address and respond to security breaches

–          There are an additional 18 technical security standards and 36 implementation specifications as well

What can you do?

Put a plan in place to protect data from internal and external threats as well as limiting access to only those that require it.

4. Technical Safeguards

Health care providers, business associates, and subcontractors must implement technical safeguards. While many technical safeguards are not required – they do mitigate your risk in case of a breach. In particular, encryption of sensitive data allows you to claim “safe harbor” in the case of a breach.

v  Study encryption and decryption of electronically protected health information

v  Use AES encryption for data “at rest” in the cloud

v  Use strong – and highly protected – encryption key management; this is the most sensitive and difficult piece on this list – consider to use split-key cloud encryption or homomorphic key management

v  Transmission of data must be secured: use SSL/TLS or IPSec

v  When any data is deleted in the cloud any mirrored version of the data must be deleted as well

v  Limit access to electronically protected health information

v  Audit controls and procedures that record and analyze activity in information systems which contain electronically protected health information

v  Implement technical security measures such as strong authentication and authorization, guarding against unauthorized access to electronically protected information transmitted over electronic communication networks

What can you do?

Adopt strong encryption technology and develop a plan to ensure data is transmitted, stored, and deleted securely. Develop a plan to monitor data access and control access.

5. Administrative Safeguards

For organizations to meet HIPAA compliance they must have HIPAA Administrative Safeguards in place to “prevent, detect, contain and correct security violations.”  Policies and procedures are required to deal with: risk analysis, risk management, workforce sanctions for non-compliance, and a review of records.

v  Assign a privacy officer for developing and implementing HIPAA policies and procedures

  • Ensure that business associates also have a privacy officer since they are also liable for complying with the Security Rule

v  Implement a set of privacy procedures to meet compliance for four areas:

Risk Analysis
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity”

Risk Management
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Workforce Sanctions for Non-Compliance
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

Review of Records
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

v  Provide ongoing administrative employee training on Protected Health Information (PHI)

v  Implement a procedure and plan for internal HIPAA compliance audits

What can you do?

Develop an internal plan to meet HIPAA compliance and have a privacy officer to implement requirements.  Ensure that policies and procedures deal with analysis of risk, management of risk, policy violations, and sanctions for staff or contractors in violation of the policy.  Develop and maintain documentation for internal policies to meet HIPAA compliance as it will help define those policies to your organization and could assist during a HIPAA audit.

Gilad Parann-Nissany, Founder and CEO of Porticor, is a cloud computing pioneer. Porticor infuses trust into the cloud with secure, easy to use, and scalable solutions for data encryption and key management. Porticor enables companies of all sizes to safeguard their data, comply with regulatory standards like PCI DSS, and streamline operations.

Don’t Let a Business Associate Compromise Your HIPAA Compliance

Posted on August 5, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Kari Woolf, Senior Global Product Marketing Manager, Novell.
Kari Woolf - Senior Global Product Marketing Manager at Novell
Traditional healthcare organizations are no longer the only enterprises expected to comply with the strict rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) recently issued the final omnibus rule of HIPAA, which creates significant liability for many technology enterprises, as it has extended the requirement of HIPAA compliance to healthcare “business associates.”

Defining an “organization” and a “business associate.”

A healthcare organization is a healthcare provider, health plan or healthcare clearing house. A business associate is defined as any company that provides its services to healthcare providers, health plans or healthcare clearing houses. These organizations have always been required to comply with HIPAA. Under the new omnibus rule of HIPAA, business associates are now required to be HIPAA-compliant as well. Even companies that may not view electronic protected health information (ePHI), but store, transfer, conduct transactions or in any way manage files for healthcare organizations must comply, and healthcare organizations have to have a business associate agreement in place with those companies.

What does this mean for healthcare organizations?

Organizations often let their employees use cloud-based solutions because they believe sharing internally is not in violation of any HIPAA ordinance. However, any time a file is shared via the cloud it is then in the hands of a company that could be considered a business associate. In most cases, these business associates are not HIPAA-compliant, creating an unnecessary risk for the organization.

The business associate might get in trouble—but the healthcare organization is almost sure to get in trouble. HIPAA regulators are cracking down on traditional healthcare organizations. HHS recently announced the first HIPAA breach settlement involving less than 500 patients at the Hospice of North Idaho (HONI). According to the HHS resolution agreement, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices. This resulted in a $50,000 fine, a two year probation period and extensive reporting requirements for up to six years.

What can healthcare organizations do?

Regardless of any regulations, organizations must enable employee access to important materials from whichever devices or locations employees need to work from. This challenges IT to maintain control of ePHI while still enabling employees to access and share files.

An on-premise solution is a viable option for these organizations to remain HIPAA compliant. Employee productivity and user experience don’t have to be abandoned, as a robust on-premise solution can enable a cloud-like, user-friendly experience with corporate data and files. Organizations can remain HIPAA compliant with certain, trusted cloud solutions, but IT needs to ensure that the cloud provider they choose has the enterprise experience to keep data safe, and with controls and restrictions that only allow the right people to access the right files. Consumer-focused cloud solutions like Dropbox won’t be sufficient for HIPAA compliance. SkyDrive from Microsoft, for example, just announced that IT can now see who has viewed and altered certain documents from the platform. While this is a step in the right direction, visibility alone does not prevent data breaches; it only serves as a notification after the fact, when it may already be too late.

Here’s a quick list of action items to help you maintain HIPAA compliance:

  1. Consider an on-premise solution: Reconsider whether the trouble of relying on a business associate is worth the benefit. On-premise solutions offer all the same capabilities that cloud solutions do, and in fact, most on-premise solutions are more mature and offer better features. Most importantly, they provide a secure foundation for accessing and working with ePHI.
  2. Conduct a full audit of third-party apps in use: Popular mobile apps like Dropbox, Evernote and even Gmail are not HIPAA-compliant. Using these apps constitutes giving ePHI to noncompliant business associates.  Employees may not realize this—they simply want to use the apps they’re familiar with. You need to police the issue. Not sure how to do this? A good mobile device management solution should have tools to help you.
  3. Use a mobile device management tool that can remotely wipe a device if it is lost or stolen: This empowers the network administrator to track and manage access to sensitive data. If a device with ePHI is compromised the network administrator can quickly and efficiently delete the data and minimize any risks. Better yet…
  4. Use your mobile devices as gateways, not destinations: Employees are going to use mobile devices, and there’s little sense in trying to stop them. Instead, make sure those devices don’t become the destination for your ePHI and instead act as a gateway. Employees can access files through their mobile devices without having the actual files on the mobile devices. On-premise solutions will keep ePHI in your data center without it being compromised through cloud storage and file-sharing services.    
  5. Audit mobile devices frequently: All organizations need to have an updated auditing schedule for mobile devices to ensure they are in compliance with any and all organization and regulatory requirements.
  6. Sign a business associate agreement with any outside organization that touches your ePHI: If a cloud vendor or other business associate won’t sign an agreement, find one that will or consider an on-premise solution.

Kari Woolf is a Senior Product Marketing Manager and Collaboration Marketing Lead for Novell. She has been with the company for more than 14 years in a variety of marketing and communications capacities. In addition to her high tech marketing experience, she served as an account manager and content director for a creative agency specializing in live events. She holds a Bachelor of Arts degree in Political Science from Brigham Young University.

HIPAA Fines and Penalties in a HIPAA Omnibus World

Posted on July 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Lately I’ve been seeing a number of really lazy approaches to making sure a company is HIPAA compliant. I think there’s a pandora’s box just waiting to explode where many companies are going to get slammed with HIPAA compliance issues. Certainly there are plenty of HIPAA compliance issues at healthcare provider organizations, but the larger compliance issue is going to likely come from all of these business associates that are now going to be held responsible for any HIPAA violations that occur with their systems.

For those not keeping up with the changes to HIPAA as part of the HITECH Act and HIPAA Omnibus, here are a couple of the biggest changes. First, HITECH provided some real teeth when it comes to penalties for HIPAA violations. Second, HIPAA Omnibus puts business associates in a position of responsibility when it comes to any HIPAA violations. Yes, this means that healthcare companies that experience HIPAA violations could be fined just like previous covered entities.

To put it simply, hundreds of organizations who didn’t have to worry too much about HIPAA will now be held responsible.

This is likely going to be a recipe for disaster for those organizations who aren’t covering their bases when it comes to HIPAA compliance. Consider two of the most recent fines where Idaho State University was fined $400k for HIPAA violations and the $1.7 million penalty for WellPoint’s HIPAA violations. In the first case, they had a disabled firewall for a year, and the second one failed to secure an online application database containing sensitive data.

Of course, none of the above examples take into account the possible civil cases that can be created against these organizations or the brand impact to the organization of a HIPAA violation. The penalties of a HIPAA violation range between $100 to $50,000 per violation depending on the HIPAA violation category. I’ll be interested to see how HHS defines “Reasonable Cause” versus “Willfull Neglect – Corrected.”

I’ve seen far too many organizations not taking the HIPAA requirements seriously. This is going to come back to bite many organizations. Plus, healthcare organizations better make sure they have proper business associate agreements with these companies in order to insulate them against the neglect of the business associate. I don’t see HHS starting to search for companies that aren’t compliant. However, if they get a report of issues, they’ll have to investigate and they won’t likely be happy with what they find.

The message to all is to make sure your HIPAA house is in order. Unfortunately, I don’t think many will really listen until the first shoe falls.

Be Sure That Business Associates Are HIPAA-Prepared, Or Else

Posted on June 6, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Sure, most readers will know that it’s important to have business associates who know how to handle potential HIPAA concerns.  I’d wager, however, given the outbreak of partner-related data losses of late, many facilities and medical practices aren’t subjecting their business partners to severe enough scrutiny.

There’s many, many ways a business associate can drop the ball, especially if you’re not keeping them informed.  For example, consider the case of South Shore Hospital of South Weymouth, MA, which lost boxes of unencrypted backup tapes en route to associate Archive Data Solutions.  The tapes stolen included HIPAA-protected ePHI (SSNs, names, financial account numbers and diagnoses).

While the business associate may have done wrongly, it was the hospital which was fined a total of $475,000 over the incident, which affected over 800,000 individuals. The state’s Attorney General slapped the hospital with these fines because it hadn’t done due diligence to make sure the associate had appropriate safeguards in place.

So, how do you protect yourself in your relationship with data management associates?  The following list of criteria, supplied by Thu Pham, seem likely to do the trick:

  • Business associate has been independently audited across all 54 HIPAA citations and 136 audited components; they’ve passed with 100% compliance and can show you a copy of their report.
  • They can tell you the particular technologies they’ll use to meet HIPAA security standards.
  • They have documented policies and procedures already in place, including policies related to breach notification.
  • They have proof their employees are trained on how to handle your PHI, with last completed dates of training.
  • They should have their own business associate agreement in place that defines their responsibilities when handling your PHI.

I might also ask them how they train their workers, as all of this preparation might be worth a lot less if policies are loose.  Now, over to you. Do you think this list is sufficient to protect your institution?  Are there items you’d add or clarify?