The HIPAA/HITECH Omnibus Rule introduced stringent requirements, and small businesses and private practices have taken the brunt of the legislative gavel. According to this rule, you are held liable for the HIPAA compliance of your subcontractors. This means that you are still penalized even if the breach did not occur within your office. There are several simple solutions to eliminate this threat; the first step is to understand what the HIPAA/HITECH Omnibus Rule means for your business.
In HIPAA language, a subcontractor is referred to as a Business Associate (BA). A BA is any organization that has, or could potentially have, access to the electronic protected health information (e-PHI) of your clients/patients. Basically, a BA includes any company that performs services on your behalf, such as claims processing, data analysis, utilization review, billing, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
Several industry examples include:
- An Information Technology company or Hosting company that stores or manages your electronic protected health information (e-PHI)
- A CPA firm that provides accounting services to a health care provider
- An attorney providing legal services to a health entity
- An independent medical transcriptionist
As a health care provider who manages or maintains protected health information, you are considered a Covered Entity (CE). In the early years of HIPAA, breach penalties were light for CEs. There was a nationwide consensus of confusion in regards to HIPAA compliance, and as such the U.S. Department of Health & Human Services (HHS) was fairly lenient as organizations scrambled to comply. During this time, small businesses and private practices didn’t have to worry too much about the conduct of their subcontracted BAs – as long as they had a Business Associate Agreement (BAA) in place with the subcontractor, they were covered.
However, as confusion waned and HIPAA regulations became more familiar, HIPAA requirements intensified. And in September 2013, the game changed completely with the issuance of the final HIPAA/HITECH Omnibus Rule.
Prior to this rule, CEs were protected by a safe harbor that shielded them from the HIPAA penalties resulting from a HIPAA violation of their BA or a subcontractor of the BA. However, the HIPAA/HITECH Omnibus Rule eliminated this safe harbor, making CEs liable for any HIPAA breach resulting from a BA’s misconduct. Your subcontracted BA must now follow the same HIPAA rules as you do, and you are held directly liable for their conduct.
What Does this Mean For You?
As a small businesses or private practice, you might outsource a variety of IT services to third party vendors. For example, an outside company may handle your data storage and/or data backup. Because these third party vendors store e-PHI, they are considered BAs, thus you are responsible for their HIPAA compliance, as well as for the compliance of their subcontractors.
This is a very risky scenario. The data hosting requirements for HIPAA IT compliance are rigorous, calling for the services of a HIPAA data hosting company that is solely dedicated to HIPAA compliance.
As a secure BA, you can trust that the services of a HIPAA-dedicated data hosting company will eliminate the risk of a HIPAA breach that involves your patient/client e-PHI, not to mention eliminating the extensive overhead of staying HIPAA IT compliant.