Can your company afford to lose up to a million and a half dollars a year? That’s what a company can potentially be fined by the government for violating HIPAA security and privacy requirements. That’s a big dent in your wallet. So, how do you know if you could be affected, and if so, what can you do about it?
HIPAA stands for Health Insurance Portability and Accountability Act. Despite its name, it actually has to do with more than just insurance. Basically, this is the law that governs the protection of health information. It’s this law that prevents just anyone from off the street from walking into your doctor’s office and getting the details of your last prostate exam. It’s also the law that fines an insurance company for tossing sensitive information into the trash rather than disposing it of appropriately.
The HIPAA “Expansion Pack”
On March 23, 2013, the HIPAA Final Omnibus Rule was enacted, creating significant new civil and criminal penalties for non-compliance. Healthcare providers, or covered entities as they are referred to in HIPAA, have been wrestling with the enormity of HIPAA since 1996. While many are not yet fully compliant, the vast majority have at least put in the effort to become compliant.
Just because you’re not an actual health care provider or insurance company doesn’t mean that you can breathe a sigh of relief, however. The law was recently expanded to include business associates of such organizations as health care providers, or even subcontractors of that business associate. Any downstream vendors that have any contact whatsoever with private health information are now affected by this law, as well as the potentially hefty fines just mentioned.
What’s changed in the Final Rule is that HIPAA is now being rigorously enforced and it also now extends the law to cover all service providers who transmit, process, store, review, or destroy patient health information, for both paper records and electronic records. If you have clients or customers who are healthcare providers, expect to see new Business Associate Agreements from them that will increase your liability, indemnify the client and hold them harmless, and make your company responsible for all costs for the investigation, reporting, notification, and civil and regulatory penalties when a breach or suspected breach occurs. Be sure to discuss these new agreements with your lawyer and insurance agent before you sign them and accept full financial responsibility.
More Business Associate Impact
An important change for business associates is that they must now comply with, and be subject to audits for, the HIPAA Security and Privacy rules. These requirements will be enforced, audited, and investigated by the Office of Civil Rights (OCR) and the State Attorneys General. Just to name a few, business associates are required to perform business impact analysis, have a written incident response plan, and have internal IT systems with all of the technical controls in place as specified in the Security Rule, which is based on the National Institutes of Standards and Technology (NIST) 800-series Special Publications.
For the healthcare providers, the first step is to identify all business associates with whom you do business. Those vendors should be classified according to risk. A vendor risk management program should be developed. Due diligence on the high risk business associates will be crucial. In the event of a reportable breach, failure to have performed proper due diligence on vendors may be deemed negligent by the regulators which then escalates the monetary penalties. If your organization has a vendor management program, be sure it is documented, audit-able, and enforced.
No business can afford to have their bottom line affected like that. If that’s not enough to sink your company, then the lack of trust from customers due to loss of such sensitive and private information will. Do everything you can and should to protect and dispose of information, the most effective thing being to enlist the help of a qualified data security expert. The good news is that the deadline to become fully compliant is September 23, 2013.
Free initial consultations are available to healthcare providers (covered entities) to review their vendor/business associate compliance programs, as well as to vendors (business associates) that will assess their HIPAA compliance risk state.