Omnibus HIPAA: BAs, Breaches Will Get Worse Before Better

By Tom Sullivan, Editor, Government Health IT
Twitter: @GovHITEditor

If the healthcare providers that have been operating under HIPAA for nearly two decades were the only ones required to comply with the new rule on privacy and security, that would be challenging enough. But they’re not.

Instead, the business associates deemed covered entities beginning September 23 are entirely new to the law and that could open up a whole slew of problems.

“A lot of folks are real nervous about that,” said Brian Ahier, founder of Advanced Health Information Exchange Resources (AHIER). “Some are taking a wait-and-see approach.”

Ahier explained that among the healthcare organizations he has encountered most are at least prepared for the low-hanging fruit within the law, activities including updating notice of privacy practices, getting policy and legal experts involved, generally making sure they are set to meet new requirements.

Yet, those are the existing covered entities and, as such, they are more or less used to HIPAA — and even for them it will require major adjustments. But it’s the Business Associates (BAs), essentially partners, vendors, contractors and subcontractors or anyone who maintains protected health information (PHI) that have Rick Kam, president and co-founder of security vendor ID Experts, most concerned.

Business Associates
“We anticipate that as opposed to the organizations that are covered entities today, the few hundred thousand if you will, the final rule adds several million business associates including technology and services providers to the mix,” Kam explained. “The good news is now they’re accountable to protecting PHI; the bad news is now, I think, we will see a lot more issues arise out of these organizations becoming accountable.”

Having those business associates in a realm that all too frequently dedicates scant resources to securing protected health information, Kam continued, will likely expand the problem. In other words: More covered entities will translate to more reported breaches.

“The omnibus rules, now that they’ll be applied, are entirely new to BAs. So they’re going to need a lot of help understanding what they need to do,” Kam said. “It’s going to get worse before it gets better.”

Choppy water ahead
Laura Adams, president and CEO of the Rhode Island Quality Institute explained that among her concerns are raising awareness among existing healthcare organizations and newly-minted covered entities — even though Rhode Island as a state is actually ahead of the curve, having enacted legislation and other initiatives to protect patient data well before of the final HIPAA rule.

“As we’ve become very transparent about breaches in this country, that has raised awareness because we’re all seeing the breaches being reported, publications are reminding us of that, and they should,” Adams said, explaining that RIQI and the Rhode Island HIE Current Care are hosting educational webinars, pushing out information via Twitter and blog posts, “everything it can do,” to spread the word and educate participants about tools available to help them comply. “I think we have more rough water ahead to navigate before we pass through that initiation into the new world of sharing very, very sensitive data.”

Ponemon Institute founder and chairman Larry Ponemon said he doesn’t expect data breaches to subside anytime soon but added that the omnibus rule “will have a positive impact because the verdict is out concerning how you actually go about securing all that information, especially in a health information exchange environment when by protecting the information you’re sometimes stopping the flow of data.”

And that is exactly what Adams and no doubt other HIE executives want, if not need, to avoid.

“We have to keep working to put the foundation in place,” Adams explained, “so we are able to connect all the data that’s needed to take care of people.”

Despite the tricky new BA regulations, none of the experts Government Health IT interviewed tended toward doomsday scenarios.

“A lot of people have been predicting the apocalypse because of this giant new rule coming in that’s going to change the face of privacy and security in healthcare. I don’t think that so much,” Ahier explained. “Obviously there will be a new level of scrutiny but I think it’s more an incremental change than the massive overhaul some people are calling it.”

This article was originally published on Government Health IT and is republished here with permission.