A recent report suggests that nearly 40% of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data. A striking statistic particularly since HIPAA and HITECH mandate that healthcare providers ensure privacy and security among such “business associates.” While providers generally insist these obligations be included in their contracts with outside vendors, the 40% breach statistic shows just how ineffective such agreements have been, without the benefit of additional enforcement or oversight.
It is against this backdrop that the Office of Civil Rights (OCR) determined that more needed to be done in this area. Their most recent recommendation calls for business associates to be held directly liable for the breach of protected health information (PHI) under HITECH Act sections 13401 and 13404. This change will go into effect 12 months after the issuance of the Omnibus NPRM (expected in the next few months). Thus, in mid-to-late 2012, business associates and their subcontractors will have the same obligations as covered entities under the HIPAA Security Rule — and therefore must conduct their own HIPAA security risk assessments. Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR), has called the extension of direct liability to business associates “a sea change” in the regulations.
So what’s a business associate to do? Wait for the final rule to go into effect? Wait 12 months after that? At Redspin, we’d suggest a more proactive approach. A sea change, after all, is an idiom for a broad transformation, not generally a time for a waiting game. We see a healthcare market where business associates will need to provide proof of robust, effective info-sec programs as a pre-requisite of doing business with providers. On their part, forward-thinking BA’s who invest in their IT security today, will get the jump on being able to promote IT security as a competitive differentiator in the future.