Make your vendors (HIPAA Business Associates ) accountable NOW, or pay a big price
HIPAA Business Associatecompliance can spell big trouble for medical practices, because many practice managers have not done a thorough job managing their vendors. Many of the vendors are either denying that they must comply with HIPAA or are only paying lip-service to their health care clients and are really not implementing HIPAA compliance programs. You need to be sure your vendors have done a HIPAA Risk Analysis and a network vulnerability assessment, and are implementing HIPAA-compliant policies and procedures that will stand up to an audit or data breach investigation. Then you need to be comfortable that they are performing their services in a HIPAA-compliant way, every day.
Even though there is a September deadline before HIPAA Business Associate enforcement begins, you need to ACT NOW to ensure your vendors are compliant, because if they aren’t, you need to replace them, and that takes time. Otherwise, every time you give them access to your network/EHR system or let them see or handle any patient information you will be committing an expensive and embarrassing HIPAA data breach .
The HIPAA Omnibus Final Rule announced in January spelled out the details for HIPAA Business Associate compliance, and started a countdown until September 23, 2013, after which enforcement begins. Penalties can reach $ 1.5 million or more for multiple violations. Here are some Myths and Facts you can use to better manage your Business Associates.
MYTH
Since Business Associates will now be directly liable for failed audits and data breaches, our medical practice has less risk than when we were the only one responsible.
FACT
False. Your exposure to penalties is increased with the new rule. YOU are responsible for protecting YOUR patients’ information, and if the HIPAA Business Associate YOU authorize to access the data fails an audit or commits a data breach, YOU are also responsible. Business Associates are a serious problem, because over 20% of thereported data breaches since 2009 have been caused by Business Associates. You are now responsible for ensuring that any subcontractors your HIPAA Business Associates use (including data centers, online backup providers, and Cloud vendors) are also compliant. And, the data breach rule was changed to remove the ‘harm’ standard meaning lost equipment containing unencrypted patient data is now presumed to be a data breach. You should require that your vendors provide you with a network vulnerability assessment from an independent company that does not maintain their network.
MYTH
Having a HIPAA Business Associate sign a Business Associate Agreement is all I have to do to make sure they are HIPAA compliant.
FACT
False. While a HIPAA Business Associate Agreement is required before you let a vendor provide any services that give them access to patient information, they have a clear responsibility to implement a complete HIPAA compliance program. Like your practice, they must document their HIPAA-compliant policies, procedures, workforce training, and evidence of ongoing compliance. Because you are responsible for their activities, you should make them prove to you that they have a real HIPAA compliance program. Require that they share their HIPAA Risk Analysis with you to prove that they have complied with the first HIPAA requirement. You should also reserve the right to audit your vendors’ compliance at any time.
MYTH
I only have to worry about my direct Business Associates and not any of their subcontractors.
FACT
False. The new rule requires a HIPAA Business Associate to ensure the compliance of their subcontractors who manage or maintain patient data. An example would be an IT service provider (your Business Associate) that sells you an online backup solution from a vendor (your HIPAA Business Associate’s subcontractor) that stores their servers and storage devices in a data center (your Business Associate’s subcontractor’s subcontractor.) YOU are responsible for ensuring that all have signed HIPAA Business Associate Agreements and have really implemented compliance programs.
MYTH
It’s OK to use the HIPAA Business Associate Agreement we have always used.
FACT
False. In January, 2013, new guidance for Business Associate Agreements was published and should be included in any new agreements you sign. Your Business Associate Agreements probably go back to 2005. You may have gotten a template from a medical association or from another practice. Replace these with a new version. You have until September 22, 2014, to replace your current agreements, but your Business Associates must still meet all the compliance requirements by the September 23, 2013 deadline.
MYTH
My paper records storage company, data center, online backup, and hosted Cloud software vendor each say they are not a HIPAA Business Associates because they never look at our data. They say it is sealed in boxes, encrypted, or locked in server racks they cannot access, so they should be considered a Conduit, like the post office, not a HIPAA Business Associate.
FACT
False. The HIPAA Omnibus Final Rule states that “an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.”
Many companies are still denying that they maintain protected health information, even though they concede that they store sealed boxes or encrypted patient data, or house servers that contain data. They continue to believe they aren’t Business Associates because they do not access your data. They are angry that they must comply. Some think the rule will be changed before September. If they continue to deny their obligation for compliance, or think their engineers and technicians can do it for them, they will miss the deadline and leave you at risk. This is the time for you to either get a firm commitment from them or find another vendor. Don’t wait until the compliance deadline, or a data breach, to find out your vendor did not comply with the regulations.
MYTH
My data center says they are SAS 70, SSAE-16, and SOC-2 compliant, so they are compliant as a HIPAA Business Associate.
FACT
False. SAS 70, SSAE-16, and SOC 2 are accounting industry compliance standards and do not meet the same requirements as HIPAA, which has its own framework and terminology. While there are overlapping requirements, when faced with a HIPAA audit or data breach investigation you cannot expect a HIPAA auditor or investigator to accept an accountant’s compliance report that does not meet HIPAA standards.
This article from www.datacenterknowledge.com also addresses the idea that compliance can be mixed between requirements.
This reader’s comment is also relevant:
Certainly SOC 2 brings a somewhat better level of objectivity to data center audits than SSAE 16 (SOC 1), but it is not a substitute for a HIPAA audit. HIPAA requires specific policy, personnel training and breach remediation processes that are not covered in SOC 2 audits. In addition the HIPAA security rules are very different than SOC 2 standards…While SOC 2 helps data centers move towards a more objective audit, it’s not a substitute for HIPAA or a PCI audit… You can bet that HHS isn’t going to accept SOC 2 as a proxy for HIPAA compliance when it comes to penalties associated with PHI breaches.
MYTH
I don’t have the time to handle everything in our practice, plus the new HIPAA Business Associate requirements. I don’t understand technology well enough to know if my vendors are really compliant, and I don’t know how to review their HIPAA Risk Analysis to make sure it meets HIPAA standards.
FACT
True. It takes time, effort, and knowledge of both HIPAA technology systems to make sure that Business Associates aren’t just signing your agreements and saying they are compliant. You could do the risk analysis yourself, but the US Department of Health and Human Services has stated that “doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”
"originally written for 4MedApproved"