C-NOTE: Healthcare Business Associates - Fast Track to Omnibus Rule Compliance
By Rick Dakin, CEO and Chief Security Strategist, Coalfire
The effective date for the new Omnibus Rule is March 26, 2013 and the most dramatic impact will be on Business Associates (BAs) that provide services to the healthcare industry. By September 23, 2013, BAs must demonstrate full compliance with both the HIPAA Security Rule and HITECH breach notification rule. This is a very short trigger due to the multiple warnings issued by the Office for Civil Rights (OCR).
I walked the halls of the Healthcare Information and Management Systems Society (HIMSS) conference held in New Orleans a few weeks ago and interviewed over two dozen BAs. The level of readiness expressed by those I spoke with was not good. Many service providers were hoping that the relative lack of enforcement on the HIPAA Security Rule would flow to the Omnibus Rule. Most expected they would get multiple chances to come under compliance over the next few years. Essentially, the mood was to let someone else suffer a severe penalty before they spend any time or effort establishing a formal compliance program.
While I strongly agree that previous enforcement of HIPAA compliance was weak, I see a distinct change in the mood at the OCR. The message has always been to encourage full compliance with published rules, but I see the enforcement program becoming much more aggressive. The OCR “Wall of Shame” that summarizes past PHI data breaches clearly shows that service providers are routinely the source of the breach. As a result, the OCR established audit protocols that focus on measuring BA compliance oversight by covered entities. And the OCR audit program for 2013 will include BAs even if their covered entities are not audited. These major changes indicate that the level of forgiveness may be much lower than the previous generations of HIPAA enforcement.
The good news for BAs is that the path to compliance does not need to be cumbersome. Compliance in other industries, such as PCI for retailers and GLBA for financial institutions, has paved a path to streamlined compliance. Companies like Coalfire that have years of compliance management experience in multiple industries can help BAs adopt streamlined Omnibus compliance programs.
With six months to prepare, most BAs can adopt a simple “Five Step Process to Omnibus Compliance” to reduce the risk for a data breach and meet the demands from covered entities to enforce their own HIPAA and HITECH compliance requirements. The five steps are summarized below:
Inventory all processes that collect, process, store or transmit ePHI.
Modify processes or systems to reduce the amount of ePHI collected or processed to allow the compliance program to be simplified and streamlined.
Conduct a gap assessment for compliance with the HIPAA Security Rule and HITECH breach notification rule. (Remember, you must have written evidence of compliance to each control before you satisfy the control objective.)
Establish a remediation program that works for you. Not every environment is the same and your controls may differ from other service providers. Be cost conscious and leverage the lessons from those in other industries.
When remediation is complete, have an independent third party conduct an assessment and issue a report to validate compliance. This report should be provided in both a short summary to provide to covered entities, and a more detailed version to show the evidence that supports each control.
Any new program like Omnibus compliance will introduce confusion and uncertainty. However, the path forward is known and the opportunity to achieve compliance in a streamlined manner is real. BAs just need to start early and leverage existing knowledge to reduce both risk and cost.