HIPAA-covered entities must bring every Business Associate Agreement (“BAA”) into compliance with the Omnibus Rules by September 22, 2014. The US Department of Health & Human Services’ BAA template is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
Under the Omnibus Rules, Business Associates are now required to execute compliant BAA’s with any subcontractors who require “routine” access to Protected Health Information.
By: Matthew MacLean, Cascade Asset Management
This month marks the final compliance date for the HIPAA Omnibus Rule (Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, Jan. 25, 2013). HIPAA Covered Entities and Business Associates spent the past twenty months bringing their systems, policies, and procedures in line with the HIPAA Omnibus Rule. With the final compliance date approaching, a brief overview of the HIPAA Omnibus Rule is in order.
Among other things, the HIPAA Omnibus Rule strengthened regulatory protections for Protected Health Information (“PHI”), increased penalties for HIPAA breaches, and expanded the concept of a HIPAA Business Associate. More specifically, the Rule:
- Finalized modifications to HIPAA’s Privacy, Security, and Enforcement Rules to implement the Health information Technology for Economic and Clinical Health Act (“HITECH Act”);
- Finalized Privacy Rule modifications aimed at increasing workability;
- Significantly modified the Breach Notification Rule, lowering the threshold required for notifying affected individuals of potential PHI breaches; and
- Implemented the Genetic Information Nondiscrimination Act of 2008 (“GINA”), prohibiting health plans from using genetic information for underwriting purposes.
Taken together, the HITECH Act and HIPAA Omnibus Rule effectuated sweeping change throughout the health care world. After bringing their programs into compliance, Covered Entities and Business Associates now turn their focus towards enforcement of the new HIPAA landscape.
Expanded Enforcement and Penalties
Federal fiscal year 2014 brought a permanent HIPAA audit program under the guidance of the US Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), the agency charged with enforcing HIPAA. According to the OCR Director Leon Rodriguez, OCR wants “to hit more entities and be more focused on parts of the privacy and security rules for which breaches are at high risk.” The permanent HIPAA audit program, coupled with the increased fines under the Omnibus Rule, is having a very real impact on Covered Entities.
Over the past 12 months, HHS has collected more than $10 million in settlements from Covered Entities. Nearly half of this total, $4.8 million, came from one breach involving a joint compliance arrangement between two New York hospitals. Although it involved a relatively modest fine, HHS reached a $150,000 settlement with a Massachusetts practice for failure to have appropriate breach notification policies and procedures in place. OCR also sought enforcement against entities for failure to detect, and protect against, security risks.
HHS Tool to Assist with Risk Assessment:
Perhaps to counterbalance the renewed focus on HIPAA enforcement, the HHS Office of the National Coordinator for Health Information Technology (“ONC”), working with OCR, released their Security Risk Assessment (“SRA”) Tool, to aid Covered Entities in complying with the HIPAA Security Rule.
As noted above, the Security Rule requires that Covered Entities and Business Associates conduct regular risk assessment of their administrative, physical, and technical safeguards. The SRA Tool assists in the risk assessment process through a series of 156 questions targeted at the entity’s security practices. An affirmative or negative answer will prompt a response from the SRA Tool indicating whether the entity needs to take corrective action for that particular item. The SRA Tool contains resources to help the entity assess the potential impact to its PHI if a requirement is not met.
Although the HHS does not guarantee that using the SRA Tool ensures compliance, it does provide an additional resource for Covered Entities and Business Associates to assess the security practices of their organizations. Given OCR’s focus on compliance audits, and the steeper penalties after HITECH and the Omnibus Rule, having another compliance tool should be seen as a benefit. The SRA Tool is available at http://www.healthit.gov/providers-professionals/security-risk-assessment-tool.
Additional References:
- Neil Peters-Michaud, Cascade CEO, 608-316-6637 or nmichaud@cascade-assets.com, or Matt MacLean, Cascade BDE, 608-316-6622 or mmaclean@cascade-assets.com.
- Cascade’s Data Security overview: http://www.cascade-assets.com/datasecurity.html
- Cascade IT Asset Disposition Resources for the Health Care industry, including a sample BAA: http://www.cascade-assets.com/healthcare
- Summary of the HIPAA Privacy Rule, (U.S. Department of Health & Human Services, 2006) http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
- Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act, (U.S. Department of Health & Human Services, 2013) http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf