The new Ominbus HIPAA regulations can be overwhelming but they cannot be ignored as the risk to your business is just too great in (in the form of penalties of $50K-$1.5 Million). Here is a summary of the most important changes made January 2013. Although they will not go into an effect until September 23, now is the time to ask your HIPAA Compliant hosting provider to sign a Business Associate Agreement (BAA) if you haven’t done so yet.
Reasons Why Your Hosting Provider Might Not Want to Sign a BAA
- Expanded definition of business associate– the new regulation covers not only vendors of the healthcare provider, but also any sub-contractors. Many hosting providers used to try to take a position that they are not really business associates because they don’t view health information that is housed on their servers is encrypted. The new government regulations state that as long as you house protected health information (PHI) data or electronic medical records (EMR) within your data center for a substantial amount of time you are considered a business associate.
- Directly liability for compliance with HIPAA security rules– According to the law, there has to be a HIPAA compliance security program in place. Business associates and subcontractors are directly liable to the government for failure to comply with the requirements of the HIPAA Security Rules are subject to the same penalties as covered entities (such as a Healthcare provider).
- Direct Liability for compliance with certain Requirements of HIPAA Privacy Rules– The new HIPAA rules provide that business associates are directly liable to the government under the HIPAA Privacy Rules and are subject to sanctions in certain situations such as failing to notify a covered entity of a breach of Unsecured PHI, uses and disclosures of PHI that are not consistent with the business associate agreement or HIPAA privacy rules, and a number of other rulings (reach out to us for a full list email@example.com)
- Penalties- Penalties for failure to comply with the HIPAA privacy and security requirements are significant with the minimum at $50,000 going all the way up to $1.5 Million which could easily put some organizations out of business.
- Business Associate Agreements– a Hosting provider or another vendor may have the BAA incorporated within the Master Services Agreement (MSA) or have it in a standalone document.
- Demonstrating Compliance– Compliance with the new HIPAA rules is required as of September 23, 2013. It is strongly advised for all vendors and sub-contractors to have written documentation and policies for their HIPAA compliance policies and procedures. Business Associates should also conduct employee training on HIPAA compliance and take actions to enforce the HIPPA compliance policies with their organizations.
The BAA is reinforcing and documenting that the vendor or subcontractor in contact with PHI must have policies and procedures addressing HIPAA regulations. These include: firewalls, password encryption, login access, employee training, etc. Documentation of all of the policies and procedures must also be readily available in the event of an audit.
We hope this information helped clarify some of your questions. You can also go directly to the source on the U.S. Department of Health & Human Resources website. As always feel free to reach out to us if you have any questions at firstname.lastname@example.org. Don’t delay, make sure your hosting provider is HIPAA Compliant.