Business associates that handle protected health information must prepare for audits and enforcement actions under the HIPAA Omnibus Rule, says security expert Susan Lucci.
Under HIPAA Omnibus, for the first time, business associates - vendors that provide services to covered entities and have access to patient information - and their subcontractors are directly liable for HIPAA compliance and face penalties for violations.
Lucci, a consultant with Just Associates, says the Sept. 23 compliance date for HIPAA Omnibus means business associates need to make compliance an urgent priority.
The Department of Health and Human Services "has made it very clear that no one handling PHI is off limits to audits and enforcement," Lucci says in an interview with HealthcareInfoSecurity (transcript below). "We can expect to see continued audits that will now include business associates with limited advance notification times."
The HIPAA compliance audit program, which was tested last year, will resume after the end of fiscal 2013, federal officials say (see: HIPAA Audits: A Status Report).
Duties Of Business Associates
Business associates need do more than implement HIPAA-compliant procedures, Lucci says. "Having good practices is important, but having documentation that proves good practice is now required."
In the interview, Lucci discusses steps that business associates and subcontractors need to take to prepare for this new compliance burden, including:
- Identify a privacy officer in their organizations;
- Encrypt devices that store patient information;
- Thoroughly document a risk analysis;
- Assess how to provide patients with accounting of disclosures of their protected health information.
Lucci heads the security and privacy practice at Denver-based Just Associates. Previously, she was privacy officer at large business associate companies working with covered entities. She is also 2013 co-chair of the privacy and security council of the American Health Information Management Association.
MARIANNE KOLBASUK MCGEE: What steps should business associates be taking to comply with HIPAA Omnibus?
SUSAN LUCCI: First of all, they need to be sure they have all the basic requirements covered. These include identifying their privacy and security officer; conducting HIPAA and security awareness training and updates for their staff; making sure that they have completed and updated all their policies and procedures in privacy, security and breach notification; and that they have updated business associate agreements and get them out to their subcontractors if they use them.
Finally, and probably most importantly, be sure that they have conducted and documented a comprehensive risk analysis. HHS has issued guidance on the HIPAA audit protocol, and that can serve business associates as an excellent guide for policies and procedures.
MCGEE: What should business associates be doing differently under HIPAA Omnibus compared to what they've done in the past in terms of safeguarding patient data, documentation and so on?
LUCCI: The first thing is the recognition that what they've done previously no longer will be sufficient. They're going to want to understand their direct responsibilities and liability level now that they're going to be held as accountable as covered entities [for HIPAA compliance]. After they've done a good review of the processes that they have established, a good approach might be to perform a gap analysis compared to the final rule and see what else is remaining to be done.
For example, if they work with subcontractors, their responsibility to ensure that all of them are compliant with the final rule is absolutely clear. They own this now. Additionally, they're going to want to ensure that they have everything in place regarding accounting of disclosures ... an access report of PHI [protected health information], since the new rule enables patients to request this information. If it's not readily available in printed or electronic form in a readable format, they're going to need to find a way to be able to produce this moving forward.
MCGEE: What do you think will be the biggest challenges for business associates and subcontractors under the new rule?
LUCCI: Business associates are faced now with a realization that the Department of Health and Human Services and its Office for Civil Rights are very serious about conducting audits and enforcement of the established penalties. Business associates that have done a good job meeting the basic requirements may not have to do much more than review and update their established practices. Those who have put this off, however, are going to have a very short timeline to get a tremendous amount of work done. The biggest challenges may come to business associates when they start reviewing updated business associate agreements from the covered entities that they work with, and they're going to recognize that the language in these agreements have changed.
New business associate agreements place many more requirements and potentially transfer direct costs to the business associates in the case of a breach. ... The costs of a breach are significant ... the internal costs of remediating the breach and getting all the work done that goes along with it. Buttoning up gaps in practice, particularly with subcontractors, is going to be key.
We're seeing more and more business associate agreements now that transfer all the costs of breach remediation over to the business associate, and this is likely to continue to be normal practice. When you consider that 20 percent of the major breaches have happened on the business associate side, it's pretty clear that this is a problem that needs dramatic improvement.
Breach Notification Standard
MCGEE: How do you think the new breach notification standard will impact business associates and subcontractors now that they have to comply?
LUCCI: What business associates need to understand first of all is that they can be pursued directly and have penalties assessed up to $1.5 million [per violation] under the law. What isn't directly stated in the law is the reputational loss and loss of business that can and does take place when a breach occurs. Where business associates and subcontractors are not implementing encryption is one area that poses the greatest risk.
For example, let's say a business associate provides a desktop or a laptop computer to an employee, and let's say the employee keeps PHI on it. If the employee terminates the relationship with the employer and fails to return that computer or laptop, there are significant risks of breach. This essentially is a computer that has been stolen and would need to be reported that way.
The first challenge that the business associate would have is to make a determination of how much PHI was on that computer. Then they'll have to go through the breach-notification process and notify the covered entity under the new breach provisions. It's way more complex now that the harm threshold has been removed. It has been replaced with a required four-factor risk assessment. What this means is you have to do these four steps to determine that it's not a reportable breach.
The first thing you have to do is identify the nature and extent of the PHI involved. You have to state who the unauthorized person was who used the PHI or to whom the disclosure was made. The third step is whether or not the PHI was actually acquired or viewed, and fourth is the extent to which the risk to PHI has been mitigated - in other words, assurances from trusted third parties that the information was destroyed.
Changes to HIPAA Audit Prep
MCGEE: Do you think the HIPAA Omnibus Rule will bring changes in how organizations prepare for possible HIPAA audits? And if so, what sort of changes do you think they should be ready for?
LUCCI: It certainly should change how they're doing this. ... If organizations haven't devoted adequate time and resources to this yet with a HIPAA Omnibus compliance deadline of Sept. 23, 2013, they're going to need to make this a priority right now. They need to evaluate internal practices and validate that the documentation is reflective of their internal procedures. Having good practices is important, but having documentation that proves good practice is now required.
Next, they're going to need to identify where those gaps are and establish practices that align with the requirements. HHS has made it very clear that no one handling PHI is off limits to audits and enforcement. We can expect to see continued audits that will now include business associates with limited advance notification times. In December 2012, we saw the first penalty of $50,000 for a breach of less than 500 patients. Everyone, no matter how large or how small, must tighten up their practices and get in compliance and safeguard PHI.