HIPAA Business Associates and now Subcontractors – A Big Heads Up!

HIPAA Business Associates and HIPAA Compliance

Whew!  Nothing like a Notice of Proposed Rule Making (NPRM) from Health and Human Services (HHS) to send the HIPAA compliance blogosphere into a near “brown out “ and hatch a new crop of self-proclaimed HIPAA privacy and security experts!

More importantly, I hope the NPRM has some effect on the business leaders and managers of organizations (Covered Entities, Business Associates and, newly proposed, Business Associate “subcontractors”) that ought to be doing something about privacy and security!

This NPRM is a good one!  “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act”.

Some pundits are proclaiming they’ve studied the 234-page NPRM!  No doubt, that will impress you about the blogger’s reading skills and chronic insomnia.  I did read the official 58-page version published in the Federal Register, so there!

In announcing the NPRM, HHS Secretary Kathleen Sebelius said, “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers.  While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

There’s much to discuss, but my comments in this post focus on HIPAA Security and Business Associates.  The HIPAA Security Rule is where the greatest amount of neglect, ignorance and non-compliance exists and from which the continued inexplicable and most egregious data breaches emanate.  (As of this writing, since HHS started posting “data breachers” in February 2010 on the HHS data breach “wall of shame”, Covered Entities and their Business Associates have impermissibly disclosed the Protected Health Information of ~3.5 million fellow Americans – equivalent, almost, to the entire population of Los Angeles!)

Let’s stick with data and facts for those seeking real information, not opinions:

  1. The official HHS Press Release on this NPRM
  2. The official NPRM was issued on July 14, 2010\
  3. A Notice of Public Rule Making is not the final regulation.  It is a notice and an invitation for public comment.
  4. Public comments are due in roughly 60-days; therefore, September 13, 2010.
  5. Comments received will be considered and possibly incorporated into the Final Rule over a time period that could extend through the end of the year, December 2010.
  6. While it’s important to get started (I’m a strong advocate), as stated in the NPRM, there is some time: “In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.”
  7.  Fundamentally, the standards and the specifications in the HIPAA Security Final Rule stand as written – there are no sweeping, dramatic changes that make compliance any more or less difficult.  Compliance is still a (large, non-trivial) business risk management project (not an IT project) and is still a journey, not a destination.
  8. As it relates to the Security Rule and as we knew from the HITECH Act statutes, the single biggest changes for Security Rule compliance come in the form of a much, much larger net that is cast to now include not only Business Associates but also Business Associates Subcontractors. “Therefore, consistent with Congress’ intent in sections 13401 and 13404 of the Act, as well as its overall concern that the HIPAA Rules extent beyond covered entities to those entities that create or receive protected health information, we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance.”

What Actions You Should Take Now:

  1. Familiarize yourself with the proposed changes; discuss with your attorney and/or HIPAA Consultant
  2. Don’t set your hair on fire yet!
  3. If you’ve not already done so, start your HIPAA Security Compliance work by completing an honest self-assessment of where you stand (we may be able to assist you).
  4. Sink your teeth into this Business Associate and subcontractor matter, whether you are a Covered Entity, Business Associate or Business Associate subcontractor.  I predict that all parties in the “chain of trust” or “chain of custody” will be statutorily obligated to comply with the law AND be subject to the new Civil Monetary Penalty system:
    a. Document your “ePHI data life cycle” for all ePHI that you create, receive, maintain or transmit to understand your “chain of custody”
    b. Complete an exhaustive inventory of your upstream and downstream “chain of custody” relationships
    c. Hold a Business Associate conference or webinar or workshop to take a more active role to ensure your Business Associates become compliant with the Privacy and Security requirements
    d. Update your standard Business Associate Agreement to reflect the requirements of the HITECH Act
    e. Start re-executing or executing Business Associate Agreements to get this critical area under control

If we may be of any assistance, please do not hesitate to contact us.

Bob Chaput is president of HITECH Security Advisors LLC and Data Mountain LLC.  HITECH Security Advisors helps Covered Entities and Business Associates meet stringent HIPAA-HITECH Security Rule requirements and address one of five health outcomes policy priorities in the Meaningful Use Stage 1 guidelines dealing with privacy and security.  Data Mountain offers Iron Mountain Digital’s online data backup and recovery services.  Bob is no stranger to protecting large amounts of healthcare data – his experience includes managing some of the world’s largest healthcare databases, requiring the highest levels of security and privacy while a senior executive at GE, Johnson & Johnson and Healthways, Inc. Contact him at: bob.chaput@HIPAASecuityAssessment.com  or bob.chaput@DataMountain.com