It is becoming more apparent to me that there still a large segment of the Healthcare IT community that is uninformed of the latest HIPAA OmniBus Ruling. While onsite of a client recently I was having conversation with an IT professional who questioned my view of his company’s legal status of a HIPAA Business Associate. He agreed that the company serviced patients secondarily through its customers and stored PHI but stated since the company was not directly in communication with patients it was not covered under the HIPAA law. I responded by stating the fact that the company stored patient information meant that it was covered under the HIPAA rulings.
The HIPAA OmniBus Final Rule published January 25, 2013 states an entity that maintains Protected Health Information (PHI), even if it doesn’t access it, is a HIPAA Business Associate. Therefore if an entity retains patient data even if the data is not relevant to its core business, that entity will be held accountable for any breach in accordance to the compliance rules. Equally important a Business Associate is subject to audits by the Office for Civil Rights (OCR) with the Office of Health and Human Service.
Furthermore if you work with any organization that meets the definition of a Business Associate there needs to be a valid Business Associate Agreement (BAA) in place with each of your covered entities.
A Business Associate Agreement (BAA) is a contract between Business Associates and Covered Entities as defined by the HIPAA Omnibus Rule. A BAA must include the following provisions in no specific order:
• Business Associates are required to enter into BAA or other arrangements that comply with the Privacy and Security Rules with their business associate subcontractors, in the same manner that covered entities are required to enter into contracts or other arrangements with their business associates. • Business Associates must comply, where applicable, with the Security Rule with regard to electronic PHI. • Business Associates must report breaches of unsecured PHI to covered entities. • Business Associates must ensure that any subcontractors that create or receive PHI on behalf of the business associate or related covered entity agree to the same restrictions and conditions that apply to the business associate and covered entity with respect to the information. • The Business Associate must execute a covered entity’s obligations under the Privacy Rule. The Business Associate must comply with the same requirements of the Privacy Rule as its covered entity.
If a breach does occur within a Business Associate organization they are required to notify the covered entity when discovered. If a Business Associate maintains PHI of multiple covered entities, it must notify only the covered entity(s) related to the breached information. If the Business Associate is unable to determine to which covered entities the breached information relates, then notification to all potential affected covered entities may be necessary. A Business Associate must provide notice of a breach of unsecured PHI to a covered entity without unreasonable delay and in no case later than 60 days after the discovery of the breach. Furthermore, if the breach occurred with regard to PHI maintained by a Business Associate who is an independent contractor, then the health care provider must provide notification based on the time the Business Associate notifies the covered entity of the breach. The Business Associate to the extent possible should provide the health care provider with the identity of each individual whose unsecured PHI has been, or is reasonably believed to have been breached and any other available information that needs to be included in the breach notification (even if it s after the 60-day period). If PHI is being handled in multiple processes that include human intervention within your organization, a PHI disclosure risk is obviously high. Of course there may never be breach but your organization must be prepared to handle a breach if it does occur. However if the breach is handled correctly the impact should not negatively effect your organization in the long term. Remember these rules are put in place to protect the patient, not to punish your organization.
Steve Cotton is a senior healthcare IT consultant with Sonte Consulting