HIPAA Haggling with Business AssociatesHospital CISO Describes Resistance on Omnibus Requirements
Like so many other covered entities across the country, the 370-bed hospital south of Chicago is busy making changes to its business associate agreements in compliance with HIPAA Omnibus.
Under the HIPAA Omnibus Rule, new BA relationships and contract renewals initiated after the rule was published in the Federal Register on Jan. 25 need to reflect the rule's requirements by Sept 23, 2013. Pre-existing BA contracts have until Sept. 23, 2014, to be modified.
The rule broadens the definition of business associates and makes them liable for HIPAA compliance.
Many vendors, especially non-clinical services providers, are haggling over the requirements Riverside wants in its business associate agreements as a result of the Omnibus Rule, Devine says.
Among the objections that some BAs have to Riverside's contractual changes are requirements related to reporting improper use or disclosures of protected health information and modifications to the medical center's breach response policies, he says.
"BAs are trying to request a 30-day time period to [report] breaches [to Riverside], where we're asking for five days," he says.
To help address the disputes, "we're trying to educate all BAs on what the Omnibus rules are," he says. "We've had to have some strong discussions [about] if [a] BA doesn't agree to our terms ... then we are forced not to use that vendor any longer, and that poses a threat."
To educate its business associates, Riverside is sending e-mails and flyers and having discussions with vendors before presenting them with new agreements, he says.
In the interview, Devine also discusses:
- The hospital's preparation for the new breach notification requirements under HIPAA Omnibus, including a more formal approach to risk assessment;
- Tips, based on the hospital's experience so far, to aid HIPAA Omnibus compliance;
- Lessons that the healthcare sector can learn from data security practices in the financial services sector.
As chief security officer at Riverside, Devine is responsible for the medical center's information system, networking, telecom, wireless and mobility, as well as compliance and policy issues. Devine has worked in IT since 1994, and in information security since 1999. He held information security roles in the financial sector during most of his career until he joined Riverside in 2011.