HIPAA Omnibus: Vendor ContractsPay Attention to Those Business Associate Agreements
Healthcare organizations signing new deals with vendors, including many cloud services providers, must make sure that their business associate agreements reflect the requirements of the new HIPAA Omnibus Rule, which goes into effect on March 26.
The rule broadens the definition of business associates to include any vendor that creates, receives, maintains or transmits protected health information on behalf of a covered entity.
Healthcare organizations should demand that their business associates, no matter what their size, be very clear about how they'll safeguard patient information.
And under the rule, business associates and their subcontractors are now directly responsible for compliance with the HIPAA Security Rule and many components of the HIPAA Privacy Rule. So contracts between covered entities and business associates need to reflect that change.
Agreements signed between covered entities and business associates before Jan. 25, which was when the HIPAA omnibus final rule was published in the Federal Register, must be modified by Sept. 23, 2014, to reflect changes in the regulations.
"As a business associate, starting March 26, you will have the same responsibilities as a covered entity under HIPAA - you'll share the joy," quipped Jutta Williams, director of the corporate compliance privacy office at Intermountain Healthcare, an integrated delivery system in Utah, during the recent 2013 HIMSS Conference..
A common complaint from healthcare organizations has been that many vendors - including some large cloud services providers - have declined to sign business associate agreements.
But remember, if you're audited for HIPAA compliance or investigated for a breach and you don't have a business associate agreement in place, you could risk paying extra monetary penalties for HIPAA non-compliance (see: New Considerations for Breach Penalties).
Under HIPAA, covered entities have always needed to have business associate agreements in place with their vendors that describe safeguards for patient information, says Susan McAndrew of HHS' Office for Civil Rights. What has changed under the HIPAA Omnibus Rule "is that when these contractual arrangements are entered into, they now need to pay particular attention to the spelling out for the business associate of what exactly are the uses and disclosures of this protected health information that they will have," she says.
As a provider of cloud services, Microsoft has always considered itself a business associate, says Dennis Schmuland, chief strategy officer of Microsoft's U.S. health and life sciences division. So the company has long provided its cloud computing customers in the healthcare sector with a business associate agreement that the company developed in collaboration with healthcare providers, payers and medical schools. The agreement, however, is a standard contract Microsoft offers to all its healthcare customers regardless of the cloud services they use.
Schmuland explains that Microsoft, which will be updating its business associate agreement to reflect the new HIPAA Omnibus provisions, tells its healthcare cloud clients: "We will not use the data for secondary uses like contextual advertising or data mining."
The company via its website also makes available to cloud customers its privacy and security principles, he says. Plus, Microsoft will provide audit reports under non-disclosure agreement, which includes the auditor's assessment of penetration testing.
Healthcare organizations should demand that their business associates, no matter what their size, be very clear about how they'll safeguard patient information. And they should demand specifics on how these vendors will limit their use of sensitive patient information to what's "minimally necessary" to perform a specific function, as required under HIPAA.
If your organization is doing work with vendors, including cloud computing specialists, that have been reluctant to sign business associate agreements in the past, make sure they're aware of the HIPAA Omnibus Rule. If they continue to drag their heels, then it's time to shop around for other vendors more forthcoming about privacy and security issues.