HIPAA Proposed Modifications

As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated notice of proposed modifications to the HIPAA privacy, security and enforcement.  Why the changes?  The goal is to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA Rules. 

The proposed statement states:  "We propose to add language in . . . the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” . . . to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person."  Sounds like our cloud computing efforts?

In today's business world, with ever-expanding multi-level arrangements for outsourcing, offshoring, and cloud computing, such a change in the HIPAA regulatory structure would have a tremendous impact. This appears to be exactly what HHS has in mind. As noted by the NPRM, "we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance."  Keep in mind, you can't outsource your responsibility!

It is quite possible that many such vendors have no idea that they serve in such a capacity, or fail to do due diligence to determine if they are an agent of a business associate. Going forward, if the proposed modifications become final in their current form, vendors MUST determine whether they are playing such a role and set up contracts/handle compliance obligations accordingly. It will be the business associate's responsibility to set up a contract (and a business associate will be liable for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency). However, lack of such a contract (i.e., the business associate's failure to comply with its own responsibility in this regard) would not let the agent off the hook.  Ensure your contracts cover all your obligations under the HIPAA act.

The NPRM provides the following example: "under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

• OK, but if the covered entity fails to set up a contract with me as a business associate in the first place, I am not a business associate, right?

Wrong. Even if there is no contract, under the proposed modifications, you are a business associate if you meet the definition of business associate:  "a person is a business associate if it meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required contract with the business associate."

As discussed above, the proposed modifications would add references to business associates in the Security Rule to make clear that, consistent with the requirements of the HITECH Act, business associates are now directly responsible for complying with the Security Rule.  It is your responsibility that you have clearly defined the business partner/associate/vendor role.  It is their responsibility to ensure they understand their role and the contract clearly states roles, compliance and how this will be under audit.  It is your responsibility to audit your providers under contract for compliance, awareness and security. 

I propose to you that these changes are necessary and good steps to ensure security around health data.  To many organizations are quick to move portions of their IT organization to business partners in hopes to get out of HIPAA requirements.  Like I said before, you can't outsource your responsibility.  The responsibility remains with you and and any willful neglect is on your shoulders.  Security has to be taken serious - throughout the organization.  This includes social engineering training for your reception staff! 

One more thing, research your cloud computing vendors, do a complete audit of their process, facility, security and review their 3rd party audits.  Make sure you understand their complete security posture and what safeguards they can provide around your data.  There are SaaS and cloud providers going into business that shouldn't be in business - they clearly don't understand security.  Be cautious.

Keep positive and engaged!

Scott Arnett
scott.arnett@charter.net