HIPAA Security Rule Can No Longer Be Ignored
Health care organizations that have ignored the HIPAA Security Rule; businesses that resist compliance programs; and companies that store data but argue that they cannot access it all need to get past their HIPAA Denial. The sleeping enforcement giant has woken up, and it has little patience for non-compliant medical practices or Business Associates. And, there are immovable deadlines that won’t change.
The HIPAA Omnibus Final Rule publication has sent shockwaves through health care organizations, some of which have done less than a stellar job complying with the HIPAA Security Rule for the past 8 years. If you are one of these organizations, the good thing about your HIPAA Denial was that the government was also doing a less than stellar job—in enforcement— until 2012.
Many of the businesses that support health care organizations are just realizing that the HITECH Act of 2009 requires that they implement HIPAA compliance programs for themselves and their subcontractors by September 23, 2013. Since 2009, Business Associates have caused over 20% of reportable breaches affecting over 12 million patient records. Had they complied with the HIPAA Security Rule most of these may have been avoided.
The Final Rule requires data centers, online backup providers, e-mail hosting services, and other ‘Cloud’ service providers to comply with the HIPAA Security Rule simply because they ‘maintain’ data, even if they do not look at it. In some cases they have no access at all into the protected data because it is housed on servers in locked cabinets they cannot open, and in encrypted files for which they do not have the encryption keys. They argue that because they cannot access the data they should be exempt as Business Associates like ‘conduits,’ a HIPAA definition of the postal and delivery services, and Internet providers that move data but do not store it. They say they are ‘unintentional’ Business Associates. This is more HIPAA Denial, because these companies have no way to stop PHI from entering their systems, and will sometimes admit that they do gain access when offering customer support.
Data centers and Cloud vendors, the federal government does not have the financial or human resources to analyze the technical methods you use to protect stored data. I don’t believe they have either the patience or desire to spend time listening to you try to avoid being classified as Business Associates and have you comply with the HIPAA Security Rule. It only takes seconds to move thousands of patient records, and you are part of a chain that includes end-users, technology providers, and others who use your highly marketed services.
My gut tells me that HIPAA enforcers may not believe you anyway, because of situations like the Omnicell breach of 68,000 patient records. According to its clients,Omnicell, a vendor of drug dispensing carts, had signed contracts that it would only store patient data on encrypted devices, but then did not follow through. A laptop was stolen, and Omnicell admitted that the device was not encrypted. The enforcers know that systems can fail, shortcuts can be taken, instructions can be ignored, or a support engineer may be asked to help decrypt files or open a screen sharing session to solve a problem. Put your HIPAA Denial aside for a minute and you will probably agree.
How is the Office for Civil Rights (OCR) going to validate that your data center only stores encrypted data, houses co-located servers that are in locked cages, or that your partners and employees follow instructions and even terms in contracts? How can OCR police every support call to be sure that your client has not given you an encryption key, or asked you to open a screen sharing session? Why should your competitors using different technologies have to comply with the HIPAA Security Rule when you are exempt?
The simple answer is that it is easier for OCR, and—more important— better protection for patient data, if any organization that stores data for health care clients or their business partners is a Business Associate. This is simple HIPAA Logic, not HIPAA Denial. Face the facts and turn HIPAA Security Rule compliance into a business opportunity.
In interviews OCR has said it does not think that Business Associates should be stressed by the deadlines because:
- Since 2003 Business Associates have been required to protect data in accordance with their Business Associate Agreements,
- The HITECH Act requiring Business Associates to implement compliance programs was passed in 2009,
- The HIPAA Omnibus Interim Rule was introduced for comment on October 30, 2009. (It has taken until January, 2013, for the final rule to go through the comment and economic impact stages before its release,)
- There is lots of HIPAA Security Rule compliance guidance available from theUS Department of Health & Human Services, OCR, National Institute for Standards and Technology (NIST), and other sources.
Continued HIPAA Denial will only waste more time and risk that you will not meet the requirements by the September deadline. If you don’t comply you will risk HIPAA enforcement penalties that can exceed $ 1 million, plus costs to comply or remediate a breach, and the embarrassment and potential lost business. The government has shown no patience for what it considers ‘willful neglect’ of HIPAA.
Admit your HIPAA Denial, get over it, and get started now with HIPAA Security Rule compliance, because you need to implement policies, procedures, updated agreements, and changes to your workflow by a deadline. They call it the Final Rule for a reason.
"originally written for 4MedApproved"