Final HIPAA Omnibus Rule Deadline Looms for Healthcare MSPs, VARs

As featured on SearchHealthIT

By John Moore

Channel partners in the healthcare industry are coming to grips with tighter U.S. security regulations and a pressing deadline.

In January, the Department of Health and Human Services (HHS) published a revised set of security and privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA). The department’s final HIPAA omnibus rule applies not only to healthcare organizations such as hospitals and medical practices, but to many of their contractors as well. The HIPAA regulations cover “business associates,” a group that essentially includes any contractor that handles patient information on a healthcare organization’s behalf. Resellers, managed services providers and cloud services vendors could potentially fall within the business associate category.

Business associates have until Sept. 23 to comply with the new regulations. Failure to do so has a serious downside: Violations can cost companies up to $1.5 million per year in fines. And running afoul of the government’s security standard damages reputations in addition to denting finances.

Channel companies, however, are still sorting out whether they fall within the scope of the revised HIPAA regulations — and how to adhere to them if they do.

“I think there are still quite a few out there who are doubting or questioning whether they really are business associates,” said Mac McMillan, CEO of CynergisTek Inc., an IT security consulting firm based in Austin, Texas, with a healthcare specialization.

“A lot of business associates are really not aware of what their responsibilities are going to be,” added Lee Barrett, executive director of Electronic Healthcare Network Accreditation Commission (EHNAC), a Farmington, Conn., organization that develops standard criteria and accredits organizations that electronically exchange healthcare data.

The details

HIPAA’s security and privacy provisions once applied strictly to healthcare providers and plans — “covered entities” in legal language. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 extended those provisions to business associates, while strengthening HIPAA’s security and privacy sections. A years-long process of crafting regulations that implement the law followed. An interim final rule came out in 2009, which the omnibus rule now supersedes.

The final HIPAA omnibus rule contains several key implications for business associates. One is direct liability. Previously, the key legal relationship was between the covered entity and the business associate. A contractor could end up in breach of contract for a HIPAA security lapse, but the government couldn’t go after them. The revised regulations, however, make business associates directly accountable to the government for their missteps.

Breach notification ranks as another top issue. The interim final rule made business associates responsible for notifying covered entities of a data security breach in cases that involved a “significant risk” of financial or reputational harm. The final HIPAA omnibus rule, however, replaces that harm threshold with a more objective standard, according to Barrett.

To wit, the regulations now state that any disclosure of patient data is considered a breach — and subject to notification — unless the business associate “demonstrates that there is low probability that protected health information has been compromised.”

In another change, the updated regulations apply to an expanded field of business associates. Earlier in the regulatory process, business associates were defined as companies working with protected patient data — firms engaged in processing health insurance claims, for example. The new rule, in contrast, describes business associates as companies that “create, receive, maintain or transmit” protected health data on a covered entity’s behalf.

The “maintain” reference places storage services providers under the business associate banner.

“Storage companies who previously were not considered to be business associates are now business associates as well,” Barrett explained, citing storage specialists such as Iron Mountain and cloud-based storage providers, in general, as examples.

In addition, the reach of HIPAA’s omnibus rule extends further with respect to the chain of commerce. Subcontractors to business associates may also be deemed business associates if they create, receive, maintain or transmit protected health information, according to the omnibus rule.

The shifting compliance burden may, in some cases, fall more heavily on contractors as opposed to their healthcare customers. McMillan suggested that business associates, because of the amount of information they possess and the number of clients they receive data from, may find themselves at greater risk for punitive action than a covered entity. He said companies involved in maintaining, hosting and processing data, in particular, may face higher risk.

Taking steps

Some channel companies already have taken action to reduce their HIPAA exposure as the compliance deadline nears.

TekLinks, a managed services provider based in Birmingham, Ala., found the need to prepare especially pressing after acquiring ClinicAnywhere in April. ClinicAnywhere (formerly ETG) provides managed services in the healthcare sector. TekLinks had healthcare customers prior to that acquisition, but hadn’t focused on the industry as a niche, noted David Powell, vice president of Managed and Cloud Services at TekLinks.

The addition of a healthcare-specific MSP reinforced the need to closely examine compliance, especially in light of the HITECH ramifications.

“The HITECH component … basically extended a lot of the requirements that used to be held by the covered entity all the way out to the business associate,” Powell said. “That put a lot more responsibility on us.”

TekLinks works with a law firm’s HIPAA practice to stay on top of the regulations. The law firm reviews the company’s business associate agreements with healthcare customers. HIPAA calls for such agreements when the business associate agrees to safeguard a covered entity’s patient data. Agreements vary in specificity, but typically spell out the security measures the covered entity expects of all contractors.

Powell said the law firm also provides a gap analysis that helps define what the service provider needs to do to meet contractual requirements. In addition, TekLinks works with a consulting firm that helps the company execute its plan for meeting those requirements.

Online Tech LLC, an Ann Arbor, Mich.-based data center services provider, said it has taken several steps to make its services HIPAA-compliant. Among those: a full risk assessment across the company that considered HIPAA’s administrative, physical and technical safeguards; updated policies and procedures; and the implementation of companywide HIPAA security training.

April Sage, director of the healthcare vertical at Online Tech, said the company also modified its standard business associate agreement to be consistent with the omnibus rule. In addition, she said, Online Tech purchased a data breach insurance policy.

Such policies typically cover costs associated with data breach notifications, which could potentially involve thousands of parties.

Online Tech also underwent an independent HIPAA audit, which employed the Health and Human Services Office for Civil Rights‘ Audit Protocol. The Office for Civil Rights, which is responsible for HIPAA enforcement, audited 115 covered entities during a pilot audit program that ended last year.

Getting started

TekLinks and Online Tech may well be further along the compliance path than many of their peers. McMillan said the IT businesses that have come to his company for assistance are “very much in the beginning of their readiness activities.”

A risk assessment is often a business associate’s first move in a HIPAA compliance effort. A baseline review of a company’s security posture aims to reveal areas that need improvement. McMillan said such reviews tend to find business associates lacking in several areas: mature security control policies and procedures, HIPAA and HITECH training for employees, and mature incident response and breach notification procedures, for instances.

Jeff VanSickel, practice leader for Security Compliance at SystemExperts Corp., a Sudbury, Mass.-based security consulting company, said his company offers a HIPAA compliance program that lays out the security and privacy rules and the details of breach notification requirements. He said SystemExperts can also help establish an information security program, which, among other things, classifies a business associate’s data.

“A lot of these service providers don’t have the baseline information security program in place whereby they can classify and protect information assets based on criticality and sensitivity,” VanSickel said.

Channel partners that have gone beyond the basics of assessing security may need to pursue other measures. For example, companies that established business associate agreements with covered entities prior to the new rule should review those contracts with an eye on Sept. 23, Barrett said. A business associate who uses subcontractors, meanwhile, needs to enter business associate agreements with those entities, he added.

“They need to look at this through the entire process flow,” Barrett said of a business associate’s response to the omnibus rule. “It needs to be far more comprehensive than the contract with the covered entity.”

The next three months could prove extremely busy for resellers and MSPs grappling with HIPAA omnibus compliance.