Though the HIPAA Omnibus Rule of 2013 technically went into effect in March, all HIPAA-covered entities are required to be compliant by today, Sept. 23. However, at least one HIPAA compliance expert has questioned whether business associates have taken the necessary steps to comply with the new requirements.
They've tried the carrot approach and have now taken out the big stick.
senior information security advisor, Sage Data Security, LLC
Spawned by the passage of the HITECH Act in 2009, the Department of Health and Human Services' HIPAA Omnibus Rule expanded breach notification requirements and placed new HIPAA compliance responsibilities on "business associates" -- any third-party contractor or service provider that handles patient information on behalf of a HIPAA-covered entity.
Before the latest HIPAA regulations went into effect, hospitals and physician offices were responsible for their business associates' activities. Hospitals were forced to utilize business associate agreements, which require business associates to apply appropriate security and privacy controls for any sensitive information they handled for the covered entity.
Now, though, business associates have been made directly liable for HIPAA requirements, and according to Natalie Kmit, senior information security advisor with Portland, Maine-based Sage Data Security LLC, many of those organizations have not given their newfound responsibilities the time and effort needed to ensure compliance.
During the six-month grace period between the inception of the law and the hard cutoff for compliance, Kmit said she expected a "flurry of activity" on the part of business associates, but instead she was surprised to find that it was hospitals and physicians practices scrambling to do risk assessments, update documentation and put remediation plans in place in case of audits.
In contrast, she found business associates taking on the attitude of, "These bad things can't happen to me, they happen to other people," and, "We're too small to be a target."
"No one is too small to be a target," Kmit said.
She pointed to her own organization, consisting of approximately 25 employees, as an example of a small business that can maintain HIPAA compliance. To do so, Kmit noted that small businesses must take three steps. First, they must acknowledge that they are liable for breaches of HIPAA requirements and fully understand what that entails. Second, by conducting risk assessments they can gain a better understanding of the vulnerabilities, potential threats and threat sources that apply to them. And third, they should put together a remediation "roadmap" that involves prioritizing what needs to be fixed and how to go about fixing it.
When asked what it would take to make business associates care about HIPAA, she proceeded to paint a typical data breach scenario involving a small business that does billing for a hospital. If that business were to have unencrypted data backup tapes "fall off the back of a truck," that business is now held to essentially the same standard as a covered entity, meaning they can face civil monetary penalties, or potentially even worse.
Unfortunately, Kmit predicted that such business associates won't take HIPAA compliance requirements seriously until large fines are issued.
"They've tried the carrot approach and have now taken out the big stick," she said.