On September 23, 2013, many companies will be required by law to comply with HIPAA…and they don’t even know it. Specifically, the final HIPAA Omnibus Rule pulls all companies under the law if they store, process, or transmit PHI data as part of their business processes. While the Omnibus Rule was drafted in late 2012, Coalfire still sees a lot of confusion among service providers, or business associates.
In this edition of Compliance Talk, we speak with Andrew Hicks…Coalfire’s Healthcare Practice Director…to clarify Omnibus, HIPAA and HITECH. There are a lot of nuances to this discussion that could have significant impact on your business!
Note: Dirk is on vacation this week and is replaced by Jennifer Kaniecki, Coalfire’s Healthcare Sales Manager for the Rocky Mountain and Midwest areas. Jennifer joins Ken and Andrew at the Bean and Berry over a round of double-shot espressos (“dopios”).
Ken: Thanks for joining us Andrew. To get started, let’s talk about the difference between the HIPAA Security Rule, the HITECH Act, and Omnibus? But, keep it simple for me, ok?
Andrew: Sure thing. Think of HITECH and Omnibus as bolt-ons to the HIPAA Privacy and Security Rules. Specific to the Security Rule, it’s important to understand that it has never changed…it has always been the exact same requirements under the Administrative, Technical, and Physical Safeguards. What has changed is the introduction of new requirements per HITECH and Omnibus. Perhaps the biggest change is that Omnibus requires all organizations that store, process, or transmit PHI data as part of their business processes to comply with HIPAA.
Jennifer: Wait a second….let’s start at the beginning. The HIPAA Security Rule is a law that came into effect over a decade ago, but it was originally targeted at so-called “covered entities”. Those are hospitals, doctors, health insurance companies…those that originate Protected Health Information.
Andrew: Yes…technically, the original HIPAA Security Rule applied to health plans, health clearinghouses, and health providers. Health providers include hospitals, clinics, doctors and others. As you said Jennifer, those that originate or create the PHI.
Ken: Ok, then HITECH came out and said that covered entities need to ensure their business partners/service providers are protecting PHI according to the HIPAA Security Rule. Those partners are called “business associates”(BAs).
Andrew: That’s right, but there’s a nuance there. HITECH is a law, but again directed at covered entities, not business associates. It said that covered entities have the right to make sure their business associates are protecting their data. That’s why covered entities have business associates sign “Business Associate Agreements” (BAAs). It’s how they extend responsibility to the BA, but HITECH is still a law for covered entities.
Jennifer: So, correct me if I’m wrong but prior to Omnibus, if a BA gets compromised it’s going to impact the covered entity. The covered entity (CE) is in trouble and they can make the BA liable provided they have a BAA.
Andrew: Yes, but if they don’t have that BAA in place, the BA is still not off the hook with Health and Human Services (HHS), but they are likely off the hook with the CE. Omnibus changed all that.
Ken: So, the Omnibus Rule now says that there is a direct legal connection?
Andrew: Right. Omnibus says that BAs are completely on the hook for HIPAA compliance.
Ken: But if HHS could always go after BAs...what changed?
Andrew: Prior to Omnibus, HHS got involved through the CE. While they could go after a BA, they had to do so through compromises at CEs. BAs were sucked into compliance because CEs under HITECH had to get BA agreements. Now under Omnibus, the law states right there…if you store, process or transmit PHI data, you must comply with HIPAA.
Jennifer: A lot of service providers negotiated the terms of their BA agreements or simply refused to sign them, hoping the issue would just go away. And, honestly, it did for many. So now, all of those service providers that avoided signing BAAs must now comply with HIPAA.
Ken: That’s right…in the past we would talk to BAs and they would say “we do NOT sign BA agreements” but now that is no longer an “out” for them. Starting September 23rd, they’re under the final Omnibus Rule - stating that they are covered by law whether or not there is a BA contract.
Andrew: Correct. Keep in mind there are many other things in Omnibus beyond this. For example there are also requirements on how genetic information can be used.
Jennifer & Ken: [together] Let’s not go there! [laughs]
Andrew: OK. Just know there are other things that impact BAs depending on what they do. There is also another important item relevant to this conversation. Omnibus applies not only to BAs but also so-called “subcontractors”.
Ken: Ah yes…I’ve seen how Omnibus applies to, “Business Associates and their subcontractors”.
Andrew: Right. The term “business associate” was introduced with HITECH. It was interpreted to go one level down…that is, to the CEs’ direct partners. Omnibus, however, applies to any organization that stores, processes or transmits Protected Health Information (PHI). That means that partners of BAs are also required by law to comply with HIPAA.
Ken: And partners of partners!
Andrew: Right! It’s a huge population of companies….close to 7 million by some estimates.
Ken: That’s the problem with establishing a nomenclature, like “business associate”. It’s an established term, but now the industry needs it to be more expansive. So, the key is that Omnibus pulls any company into scope that stores, processes or transmits PHI. That includes hosting companies, cloud service providers, call centers and even system integrators.
Andrew: Exactly. If they said everyone is a BA, it would confuse the marketplace because they would say “well I never signed a BA agreement”. So, they added the concept of “subcontractor”, which includes any business with PHI.
Jennifer: Cloud Service Providers (CSPs) are really at risk because they frequently have no idea what kind of data they are getting. Yet, they are covered under the HIPAA law now because of Omnibus?
Andrew: Exactly. Many CSPs, and companies like them, are saying they are nothing but a ‘conduit’ for PHI, and they never really ‘see’ the data. But that does not alleviate them from liability.
Ken: So, who’s going to enforce it?
Jennifer: Well, the law says you have to be HIPAA compliant, it does not say you have to be independently validated. This is Coalfire’s challenge. Our services center on risk management for all companies in the healthcare ecosystem. When I hear a company say they are HIPAA compliant…are they really sure? Have they done due diligence, or are they strictly relying on what their IT team says? We are seeing a lot of BAs and subcontractors come to us now because they want to be sure. They want that independent expert opinion that Coalfire provides.
Ken: So, HIPAA is still enforced through breach investigations. There is a government agency that will go to BAs and say “We want to audit you and we have that right”.
Andrew: Well actually there were the OCR audits (Office for Civil Rights) under HHS. They conducted random audits at covered entities in 2012 to gauge the industry’s issues with compliance, but they didn’t hand out fines and penalties. Instead, they used the audit results to create what they call the OCR Audit Protocol.
Ken: And these CEs were a wreck, compliance-wise?
Andrew: Yes, they were a wreck.
Ken: And now, they plan to continue the random audits to include BAs?
Andrew: Right. In 2014 they are going to include BAs.
Ken: But, if there are 20,000 companies that fall into scope for HIPAA now, they will probably sample something like 10?
Andrew: They did 115 audits last year. But, the key here is that service providers don’t want to play Russian roulette with this. There are requirements with mandatory risk assessments, civil penalties and potential for criminal penalties that can amount to as high as $1.5 million per violation. It creates absolute chaos and people lose jobs. The cost quickly gets into the millions. Everything a service provider does for due diligence reduces risk. Our assessments are part of that due diligence.
Ken: We need to wrap up. Let me ask you one last question. Can you describe what ePHI is?
Andrew: Per the letter of the law, ePHI is individually identifiable health information that is transmitted by electronic media or maintained in electronic media. Broken down, for information to be considered as PHI, the data set must contain information that uniquely identifies an individual as well as information related to their health.
Ken: Are subcontractors and BAs covered under both privacy and security?
Andrew: Yes. But the scope for our privacy assessments varies widely. CEs tend to have a lot of privacy issues, while BAs and subcontractors tend to be smaller because their exposure and use of PHI is frequently in electronic form. Privacy only impacts them in how the data is used, how it’s disclosed, and so on.
Ken: That’s pretty clear. What are the parameters of PHI? Name, medical diagnosis…what else?
Andrew: There are 18 individual qualifying parts for PHI. Things like driver’s license number, address, IP address, name, social security number, and so on.
Ken: And they need a combination of some of those 18?
Andrew: Right, they don’t need all 18, obviously, but generally any one of those with associated medical data. As always, it can get complicated because some of those 18 can be situational. For example, if a doctor’s office has patient files facing out, you might see a name of a patient. OK, that fact may not constitute PHI. But, if it’s at an AIDS clinic, it could be a totally different matter.
Ken: As always, there are gray areas everywhere in compliance and security. Thank you, Andrew. We will post this and will let you know if our clients have questions. And, thank you, Jennifer, for filling in for Dirk. We’ll all have to do this again in a month or two!