With a fast-approaching date for compliance to the Final Omnibus Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), business associates and their subcontractors are being thrust into a world where they will be held accountable for protecting health information. Under the Final Rule, which was issued by the Department of Health and Human Services (HHS) on January 17 and went into effect on March 26, many of those entities may be caught unprepared or even unaware that they are considered a business associate. That can expose them to substantial penalties when the HHS Office for Civil Rights is expected to commence routine HIPAA compliance audits in September.
According to Brian Lapidus, head of the incident response and remediation group at the New York-based Kroll Advisory Solutions, “A lot of business associates don’t even know that they are business associates. This is going to be a wakeup call for them.” (Kroll offers a Business Associate HIPAA Self Risk Assessment tool, and also advises business associates and subcontractors on how to meet the requirements under the HIPAA Final Rule.)
Lapidus classifies business associates into two different groups. The first group includes companies is aware of the HIPAA requirements and is cognizant of its relationship with the healthcare provider, so are used to thinking about HIPAA compliance. The second group is not compliant, and is going to be unprepared; for many in this group, healthcare is not a typical function, he says. One possible example: a business that has set up a self-funded health plan, and which finds itself with PHI on its employees, making it a business associate. “If it is a non-regulated business and it is doing that, I guarantee iot has never thought of itself as a business associates,” he says.
Lapidus observes that in the age of Big Data, the volume of data continues to grow as more organizations are using data as an asset to understand consumer trends. The fact is that data escapes, and organizations need to be aware of its vulnerabilities, he says. In his view, the biggest wild card in data breaches is human behavior, in the form of malicious insiders, negligent insiders, or criminal hackers. While he declines to identify a “typical” breach, he stresses that organizations need to be mindful of their responsibility to protect data.
The biggest challenge in the Final Rule is the elimination of the harm provision that essentially lowers the threshold for a breach notification—instead of saying that no harm occurred as a result of a breach to establishing that there was a low probability that data was not compromised. Lapidus says organizations will need to run an investigation of perform due diligence that c an be challenging, depending on the complexity of the event.
“Our takeaway is that business associates need to get ready, because it’s coming,” Lapidus says. “There’s going to be scrutiny on what they are doing and how they are doing it.”