So what's the most significant security provision in the massive new HIPAA Omnibus Rule? Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT, points to the provision that clarifies that business associates and their subcontractors must comply with every aspect of the HIPAA Security Rule.
Pritts notes that BAs now must comply with many aspects of the HIPAA Privacy Rule as well. The beefed-up BA requirements come just in the nick of time, she says, because so many organizations are using the services of cloud vendors.
In a Feb. 28 educational session at RSA Conference 2013, Pritts noted that under the original HIPAA requirements, covered entities, such as hospitals and clinics, should have been imposing security requirements on their business associates through formal BA agreements. "Those requirements are now set out very clearly," she says. "Business associates have to follow the same security rules as [covered entities] do."
Pritts says that in most cases, BA agreements likely will have to be modified to more clearly spell out responsibilities under the HIPAA Omnibus Rule. The rule's BA provisions are timely and important, she says, because a growing number of organizations, especially smaller clinics, are turning to cloud computing providers as they launch electronic health records systems and apply for HITECH Act incentive payments. ONC writes the rules for the incentive program.
"Many major breaches have occurred at the business associate level," Pritts notes. In fact, the HHS Office for Civil Rights' "wall of shame" list of major health data breaches shows about 21 percent of have involved BAs.
"This is a trend that we believe will continue," Pritts predicts, because the storage of patient data is shifting to the cloud.
Consumer advocate Deven McGraw, who participated in an RSA Conference panel with Pritts, laments: "There is not crystal clarity in the new rule as to who is going to be responsible and liable when there's a problem."
McGraw, director of the health privacy project at the Center for Democracy and Technology, also chairs the Privacy and Security Tiger Team that advises ONC.
In passing the HITECH Act, which required the modifications to HIPAA, "Congress expanded the possibilities for liability," she notes. "And there are not very clear lines drawn."
For example, if a covered entity is aware that a business associate is taking inadequate security precautions, it could be held responsible if the BA experiences a breach, McGraw points out.
"The covered entity is the one that has to notify the patients ... even if the breach occurred four entities downstream," she stresses. "So it will be a hit to the covered entity from a reputational standpoint."
McGraw predicts that federal regulators will "study whose behavior is responsible for the breach" and investigate to determine "whether the covered entity was asleep at the wheel" and failed to monitor a business associate's security."
The moral of the story? You can't afford to be asleep at the wheel.
The time has come to go far beyond relying on business associate agreements and carefully scrutinize vendor partners' policies and procedures for safeguarding patient information. Otherwise, your organization could face the risk of hefty fines if a BA experiences a breach.
At the conference, McGraw offered a powerful sermon about the need for healthcare organizations to take privacy and security far more seriously.
"We're happy to report improvements, but at the same time, it's quite an uphill battle in healthcare to ensure adoption of baseline security ... and get a cultural acceptance of the importance of data security," she says.
Recent federal settlements stemming from breach investigations have "shown an absence of the recognition of privacy and security as a priority and a lack of attention being paid to such security basics as a risk assessment," she notes.
If you need more ammunition for investments in security at your organization, remember this: The HIPAA Omnibus Rule calls for a ramping up of enforcement and heftier penalties for violations. And the next wave of federal audits for HIPAA compliance is on the horizon.
Are we at a turning point for data privacy and security in healthcare? Sure feels like it to me.