HITECH and the notice of proposed rule making (NPRM) published in the Federal Register July 14, 2010 significantly impact how Covered Entities (CEs) and Business Associates (BAs) manage health IT security risk under HIPAA. It has, in effect, created an ePHI supply chain in which everyone on the chain needs to worry about the security controls of everyone else in the chain. Here’s why:
- Business Associates: the definition of a BA is expanded to include data transmission services such as HIEs and RHIOs and also subcontractors of BAs that have access to ePHI.
- HIPAA Security Rule: BAs are now responsible for complying with the HIPAA Security Rule.
- Penalties: penalties for noncompliance apply not only to CEs, but also BAs and BA subcontractors.
- “oops, we didn’t know:” a BA can no longer use “lack of knowledge” as a defense to limit liability for HIPAA non-compliance violations.
- Dual Liability: BAs have contractual liability to CE for HIPAA compliance via Business Associate Agreements (BAAs) as well as liability directly to the government for HIPAA compliance.
What can you do? Whether you are a CE, a BA or a subcontractor of a BA, a number of steps can reduce your risk.
- Policies: Ensure you have effective and practical policies and procedures in place to document how you manage health IT and mitigate security risk.
- Training: Educate employees to ensure they understand the policies as well as the spirit and intent of those policies.
- Assessment: Complete a HIPAA Risk Analysis to identify security risk, determine effectiveness of security controls and measure conformance with policies and the HIPAA Security Rule. Whether you are a CE or a BA or a BA subcontractor you need to understand where your risk to disclosing ePHI lies. Lack of knowledge does not limit liability and completing a risk assessment helps focus risk mitigation measures and indicates a commitment to a robust information security program in the event of post-data-breach-litigation.
- Manage Vendor Risk: Both CEs and BAs need to understand the extent that vendors magnify their risk of ePHI disclosure. Because every organization has limited resources, its important to prioritize vendors to determine which ones represent the highest risk of ePHI disclosure. Here are steps to consider for all BAs, especially those that are considered high risk:
- Upgrade BAAs to include a right-to-audit clause in which you are enabled to perform a HIPAA Risk Analysis or other assessment to verify vendor’s risk profile.
- Require BAs (or subcontractors) to complete a Business Associate Security Questionnaire in which they must attest to some basic elements of their information security program.
- Threaten to periodically audit or spot check certain answers to the BAs Business Associate Security Questionnaire.
Given the expanded liability and compliance requirements of the ePHI supply chain under HIPAA and the HITECH Act, performing some minimal risk management efforts can dramatically reduce risk throughout the chain.