The new Omnibus HIPAA regulations can be overwhelming but they cannot be ignored as the risk to your business is just too great in (in the form of penalties of $50K-$1.5 Million). Here is a summary of the most important changes made in January 2013. Although they will not go into an effect until September 23, now is the time to ask your HIPAA Compliant hosting provider to sign a Business Associate Agreement (BAA) if you haven’t done so yet.
Reasons Why Your Hosting Provider Might Not Want to Sign a BAA
Expanded definition of a business associate
The new regulation covers not only vendors of the healthcare provider, but also any sub-contractors. Many hosting providers used to try to take a position that they are not really business associates because they don’t view health information that is housed on their servers is encrypted. The new government regulations state that as long as you house protected health information (PHI) data or electronic medical records (EMR) within your data center for a substantial amount of time you are considered a business associate.
Directly liability for compliance with HIPAA security rules
According to the law, there has to be a HIPAA compliance security program in place. Business associates and subcontractors are directly liable to the government for failure to comply with the requirements of the HIPAA Security Rules.
Direct Liability for compliance with certain requirements of HIPAA Privacy Rules
The new HIPAA rules provide that business associates are directly liable to the government under the HIPAA Privacy Rules and are subject to sanctions in certain situations such as failing to notify a covered entity of a breach of unsecured PHI, uses and disclosures of PHI that are not consistent with the business associate agreement or HIPAA privacy rules, and a number of other rulings.
Penalties for failure to comply with the HIPAA privacy and security requirements are significant. The minimum sits at $50,000 and can go all the way up to $1.5 million which could easily put some organizations out of business.
Business Associate Agreements
A hosting provider or another vendor may have the BAA incorporated within the Master Services Agreement (MSA) or have it in a standalone document.
Compliance with the new HIPAA rules is required as of September 23, 2013. It is strongly advised for all vendors and sub-contractors to have written documentation and policies for their HIPAA compliance policies and procedures. Business Associates should also conduct employee training on HIPAA compliance. They can also take action to enforce the HIPPA compliance policies with their organizations.
The BAA is reinforcing and documenting that the vendor or subcontractor in contact with PHI must have policies and procedures addressing HIPAA regulations. These include firewalls, password encryption, login access, employee training, etc. Documentation of all of the policies and procedures must also be readily available in the event of an audit.
Contact Connectria for assistance with HIPAA Compliance. We hope this information helped clarify some of your questions. You can also go directly to the source on the U.S. Department of Health & Human Resources website.