The U.S. Department of Health & Human Services (HHS) released a new rule on Jan. 17 to protect patient privacy and secure health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and run by The Office of Civil Rights.
With this new rule, The Omnibus Final Rule, protected payers and providers should no longer have any doubt that they are liable under HIPAA. To be sure, you only need to answer yes to a couple of the following questions:
- Do you receive, create, maintain or transmit Protected Health Information (PHI) for or from a covered entity (CE)?
- Are you a VAR, MSP, integrator or other, providing IT or related services to CEs or one of their Business Associates that involves the ability to access PHI in any manner?
- Are you a hosting service, storage or other vendor that has PHI residing in your network, even if you do not access the information?
So now you should know that you are a Business Associate. Here is the news; you must comply with many of the HIPAA Privacy Rules and all of the substantive Security Rules. Business Associates and their subcontractors (no matter how far down the ecosystem) are also directly liable for civil and criminal penalties under the enforcement rules. And no, you cannot waive these liabilities in your Business Associates’ Agreement or other contractual mechanisms.
So what’s the big deal? Besides the lawsuits you may suffer at the hands of a CE, the civil penalties you are now liable for range from $100 to $1,000 per violation for minor offenses to a mandatory $50,000 to $1.5 million per category for Willful Neglect, and a “violation” is every day that a noncompliant condition exists.
The criminal penalties are extreme and range from a $50,000 fine and one year in prison to a $250,000 fine and 10 years in prison. Organizations are already being levied major fines for minor indiscretions. The Massachusetts Eye & Ear Infirmary was hit with a $1.5 million fine for the theft of a laptop with 3,500 records. It was discovered in the investigation that they, allegedly, had not done a risk assessment and had not adequately created and followed the requisite policies and procedures.
In general, compliance with the Security Rule requires that you implement administrative, physical and technical safeguards to protect the privacy, availability and integrity of PHI. You must begin this process by:
- Identifying where your client’s PHI resides within your systems or the systems that you manage and/or the access points where you may be connected to other systems that contain PHI
- Completing an entitywide Risk Assessment of those identified systems and implementing appropriate remediation to comply with the requirement to protect PHI
- Creating procedures to authorize and control workforce access to PHI
- Auditing systems access and maintaining documentation of those audits
- Documenting, implementing and enforcing policies and procedures
- Documenting, implementing and enforcing an employee education and sanctions policies
- Developing a system to manage business continuity, disaster recovery and emergency mode operations plans
- Implementing security monitoring and log review
- Implement a media management and encryption program
- Documenting all changes to the system, done by whom, to what, when and how
A primary and critical ongoing component of HIPAA Privacy and Security Rule compliance is developing and maintaining documented viable and comprehensive policies and procedures with sanctions for failure to comply. These should be achievable and involve all aspects of your PHI handling and IT operations.
Do not over-reach with these policies, as not following your own policies and procedures is as bad, if not worse than, not having them at all. I have only just begun to touch on the reality that has hit Business Associates with the Omnibus Rule. If you are not already fully aware, as you should have been with HITECH, I hope you will either get educated or get out of the Healthcare Service arena while you still can.