In May two North Carolina healthcare providers, Presbyterian Anesthesia and Piedmont Healthcare, had to deal with credit card data breaches when their web-hosting firm, E-Dreamz, was hacked. Although no clinical data was compromised, the hacking event impacted thousands of patients and job applicants, according to a report by WSOC.TV News.
Breaches such as this remind us that although business associate breaches are less common than hospital breaches, they can be much larger and one breach can impact multiple health systems.
And that serves as another reminder that the rules about business associates are changing on Sept. 23. The HIPAA Omnibus Rule that became effective March 26 started the clock running on that transition. Starting that date, business associates and their subcontractors must follow the privacy provisions of a business associate agreement and the HIPAA Security Rule, and they face legal obligations and enforcement risk if they do not.
At Healthcare Informatics, we’ve written quite a bit about the HIPAA Omnibus Rule that went into effect in March. Most recently, my colleague John DeGaspari wrote a nice blog item in May based on his conversation with Brian Lapidus, head of the incident response and remediation group at the New York-based Kroll Advisory Solutions.
I won’t go through the changes in the final rule again here. But yesterday I saw a helpful presentation by attorney Kirk Nahra, a partner with law firm Wiley Rein LLP.
In a webinar sponsored by ID Experts, he noted that covered entities need to make sure they are aware of the business associates’ progress on these privacy and security requirements. “If you get any kind of pushback from business associates, you have to get more involved with them to make sure they change their behavior to full compliance,” Nahra said. Business associates need to get moving on it right now, he said. “They have had lots of time, because everyone knew this was coming since the HITECH Act was passed in 2009. Many did not take advantage of the last couple of years, but this is something you cannot do overnight.”
Confused about who is or isn’t a business associate? Nahra said any company that creates, receives, maintains or transmits protected health information is a business associate. And just the fact that you haven’t signed a business associate agreement with a covered entity is no longer protection from responsibility. If you fit the definition, HHS can come after you for failing to live up to the requirements.
HHS is giving covered entities until September 2014 to revise contracts that are already in place with business associates. “You do have that time if you need it,” Nahra added, but that may leave you relying on contracts that are really outdated.
Nahra noted that HHS Office for Civil Rights has lots of discretion on how it does enforcement and issues penalties and other resolutions. “They are using lots of trigger points. They tend to start narrow: what was the cause of complaint; then they expand from there into adjacent areas,” he explained. They start at point A and move to point B. HHS will always ask about your documentation of policies and procedures, he notes. “It is always better to have fixed the problem by the time they come talk to you,” he said. They are not an aggressive enforcement agency, he added. They are not announcing new investigations every day. But they do have broad authority. You must take them seriously at all times, and an investigation response can be quite burdensome to your organization.
So are you ready for Sept. 23? Are your business associates?