The HIPAA Omnibus rule went into effect March 26th of this year and brings with it a whole busload of changes to the healthcare industry. While most of these changes are uniquely specific to the healthcare industry there is an extension of responsibility to secondary service providers, called business associates, that may have impact beyond healthcare, changing responsibilities.
Business Associate Agreements, or BAAs, are written agreements between organizations that help define responsibility of Personal Health Information (PHI) and how it is electronically communicated. These agreements detail the responsibility for proper care and handling of that information as well as any infringement from a data leak. Where hospital and direct providers of care are called “covered entity,” the Health and Human Services (HHS) website defines BAAs as:
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
The covered entity is required to have the business associate organization sign an agreement that confirms that personal health information is handled in a specific manner. For instance, if a hospital outsources its ambulance and paramedic service, an agreement has to be in place. If there is a breach of PHI by a paramedic, the hospital is ultimately responsible for the breach because the paramedic service was under a BAA. This approach is a fundamental shift in contracting and responsibilities for healthcare.
Imagine if this became the standard and crossed over into other businesses.
As an example, consider a large cable company with service technicians that handle residential accounts on behalf of the company. If the BAA requirements extended to information gathered by the service technician for the cable company, then any digital information that technician carries is now the responsibility of the cable company. Don’t you think the cable company would handle things differently than simply pushing routes and addresses like what is currently done? Would the cable company maintain a tighter restriction on data as well as devices allowed for use?
In reality, a cable company has deniability if a technician loses their mobile device with addresses and phone numbers loaded onto it at a service call. They would issue an apology and it would be a public relations nightmare, but responsibility would fall on the service contractor, or if an independent contractor, the technician. If the requirements for Business Associates found in the HIPAA Omnibus rule became standard, organizations like the cable company would be responsible. The situation could be the same for every organization that outsources any IT function.
In an ITAM scenario, all disposal organizations, data storage facilities, cloud service companies, etc. would have to enter into a BAA with the company that hired them for their particular services. The actions of the outsourcer for any portion of the IT Asset Management program would be the responsibility of the organization that hired them. While not necessarily a bad thing, it would alter the protections on which current operating procedures are based. Due diligence, risk assessment, and risk mitigation become even more important. The difficulties presented by technology change such as new mobile devices and programs such as BYOD are magnified. Again, not necessarily a bad thing, but something that organizations should take notice of.
Would you be prepared?