Skip to content Skip to navigation

See You in 5757 A.D.? That’s What It Will Take

September 9, 2013
| Reprints
HIPAA Omnibus, Fuzzy Math, and a Bigger Burden

I’m not big on math, so you may have to bear with me for a second (and by that, I mean, let me get out the old Texas Instruments TI-81);

(Approximately) 32.8 million hours divided by 24 (hours in a day) equals approximately 1,366,666 days (I’m rounding down). 1,366,666 divided by 365 (days in a year) equals 3,744 years. The U.S. health industry will spend, in total, approximately 3,744 years to comply with Health Insurance Portability and Accountability Act (HIPAA) privacy rules, according to a recent notice in the Federal Register by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).

Wait, what?

That’s right, I double-checked and you read that correctly. If you total the burden of time the entire healthcare industry, including covered entities and their business associates as well as members of the public, will spend complying with the rule, including the new Omnibus provisions, it equals approximately 3,744 years. See you guys in 5757 A.D.?

In all seriousness (and credit to Modern Healthcare for finding that notice), after seeing this kind of data, I have a better understanding of why people within the industry lose sleep over HIPAA, and specifically as of late, the Omnibus Rule (an amendment enacted a few years ago by the American Recovery and Reinvestment Act), which is set for compliance on Sept. 23. Even though the new provisions, according to that notice, only equal a tiny fragment of the overall burden, it’s still something else to think about. It represents an even greater burden to what is clearly already a huge load.

New rules surrounding the relationship between covered entities and business associates have been a hot topic and for many health IT leaders, a bit of a mystery. In a recent podcast, I talked with our health privacy and security guy, Mac McMillan, co-founder and CEO of CynergisTek, Inc. and current chair of the HIMSS Privacy & Security Policy Task Force, about why this was the case.

McMillan, who blogged about this topic a few weeks ago, told me the rule is a wakeup call for the industry. In the past, he said, covered entities and business associates took advantage of the “conduit provision” and specific language in the old rule that essentially released them from that burden. Not so anymore.

“The OCR (Office for Civil Rights) audits last year, when everyone saw what the federal government expects in terms of vendor management, and realized that organizations are going to perform some level of due diligence on those folks they give their information to or  give access to. They’ll have to have processes to monitor or manage those relationships while they’re working for them and going to have an orderly process for breaches, as well as termination of those processes,” McMillan said.

In an interview with Healthcare Informatics’ Mark Hagland, Kathryn Coburn, Los Altos, Calif.-based law firm of Cooke, Kobrick & Wu, LLP, gave additional reasons why the business associate element of Omnibus has some CIOs under duress.  She emphasized the importance of the business associate agreements under the new rule.

Here’s the thing these hospitals may have personal health records that are actually distributed to patients. So if they’ve outsourced that to a vendor, the vendor would have to report it to the FTC [Federal Trade Commission]; but if the vendor is a business associate of the hospital and is distributing it on behalf of the hospital, then the vendor is a business associate of the hospital, and the hospital would have to report to HHS, and the vendor would have to report it to the hospital or clearinghouse. But there is independent liability on the part of the vendor for notice of breach.

As I begin to read these interviews, I understand the true burden of HIPAA. It’s not just on providers— it’s on their business associates too, and those BAs who have sub-contractors of their own. It goes far down the chain. As McMillan told me, the language in the rule is clear. Any organization has access to protected health information (PHI) and doing something on behalf of a covered entity, they are liable as a business associate.

Every week, I read of at least two or three major healthcare breaches. Often, those breaches are the cause of something the business associate has done. That’s disconcerting if you’re the CIO of a major healthcare organization, especially when you factor the cost of a breach, fines from the government, and potential lawsuits.

I don’t think the HIPAA Omnibus Rule is rocket science, but it certainly adds additional levels of concern for providers. And when it takes thousands of years to get something done, who wants that?

As always, I want to hear your thoughts. Feel free to leave comments below or respond to me on Twitter by following me at @HCI_GPerna.