Although the Omnibus Final Rule attempts to make it clear in its broad definition of who is and who is not a business associate (BA), some IT service providers that handle electronic protected health information (ePHI) on behalf of covered entities (i.e. healthcare providers) are making nuanced arguments that HIPAA does not apply to them.
One of the arguments revolves around encrypted ePHI. Wherein the service provider does not have access to the decryption key – and if the service provider doesn’t know what’s inside the encrypted data – then the service provider cannot take responsibility for its contents. Other service providers are simply refusing to be considered a business associate, and do not provide a means for covered entities to discuss the nature of the data stored or processed on the provider’s servers.
Either way, it amounts to a kind of “Don’t ask, don’t tell” for health IT, a practice in stark contrast to the intent of the Omnibus Rule, which goes into effect Sept. 23, 2013, with stiff penalties for those who do not comply.
The problem with this thinking is that it takes a myopic view of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule as well as the Omnibus Final Rule. From an outsider’s perspective, “security” in the context of HIPAA is typically translated as “protecting ePHI against data breaches.” Hence, from this perspective, if the ePHI is encrypted, it is highly unlikely that an unauthorized person can gain access to this information.
But HIPAA security is not only about protecting ePHI against unauthorized access. Equally important is ensuring that ePHI is available to authorized individuals upon request to provide care.
Take, for example, the implementation specification of Emergency Access Procedure within the HIPAA Security Rule. The purpose of this provision is to ensure that covered entities have procedures in place to access ePHI outside of normal operational circumstances. It is incumbent upon the covered entities to define which kind of situations would require emergency access; it’s implied that a service provider who maintained ePHI on behalf of a covered entity or business associate is also responsible for accommodating these situations, regardless of whether the ePHI is encrypted or not.
Another example involves business continuity and disaster recovery as required by the HIPAA Security Rule’s disaster recovery plan, emergency mode operation plan and contingency operations implementation specifications. Service providers must routinely test their business continuity and disaster recovery plans, analyze outages, train workforce members on these procedures and maintain documentation of these activities. Covered entities can be held accountable for the lack of planning on the service provider’s part if the lack of planning results in a breach.
Under the Omnibus Final Rule, a business associate is defined in terms of the functions or activities that it performs on behalf of a covered entity in relation to ePHI. An entity is not exempt from the definition of business associate and is not relieved of the accompanying compliance obligations simply because ePHI is encrypted.
All of this comes down to one simple notion: accountability. Or, as the Omnibus Final Rule puts it, prevention of security lapses due to outsourced IT arrangements. No matter where the ePHI flows, the full scope of HIPAA security must be considered. Attempts at derogation of responsibility in that flow miss the point entirely, and covered entities remain accountable.
Service providers doing business with covered entities need to realize that they are responsible for ePHI – no matter the form – and that they too may be held accountable at the discretion of the Department of Health and Human Services. For a service provider, it’s a huge gamble since instances of noncompliance could be deemed willful negligence, subjecting covered entities and its business associates to significant monetary penalties. Under the new tiered-penalty structure, penalties for repeated willful neglect can be as high as $1.5 million per violation.
Covered entities should review their business associate relationships immediately as the compliance clock is ticking down to Sept. 23, 2013. They will need to ask the difficult questions about how their service provider manages operations with respect to the full scope of HIPAA security, and establish expectations around the assurances given for compliance.
As you can see, the Omnibus Final Rule, while meant to clarify accountability, raises additional questions for the health IT community. We are hopeful that this article provides you with a better understanding of the role of covered entities and business associates under HIPAA.
Verizon offers managed hosting and cloud services designed to meet appropriate HIPAA controls for storing and protecting ePHI. This includes signing a Business Associate Agreement with covered entities storing their ePHI with Verizon.
About the Author
Chris Davis is compliance solutions architect, Verizon. For more on Verizon: www.rsleads.com/307ht-202