Hospital compliance officers and supply chain managers had better beware: The clock is ticking for their organizations to implement additional safeguards to protect their patients' protected health information, including having greater oversight over their business associates' activities. The urgency is due to HIPAA's omnibus rule that went into effect on March 23, 2013. The Office for Civil Rights is set to commence audits of covered entities' business associate oversight as early as Sept. 23, 2013. As a result, health organizations are seeking ways to mitigate their risk; those that fail to comply face significant civil and criminal penalties.
Written into the Health Information Technology for Economic and Clinical Health Act of 2009, the final HIPAA omnibus rule, which can be seen as a way to hold healthcare organizations accountable for their vendors' actions, have wide-reaching impacts on hospitals. For one, the new rules expand the definition of a business associate to include:
- Subcontractors that create, receive, maintain or transmit PHI on behalf of business associates;
- Entities that provide data transmission services and that require access to PHI on a routine basis;
- Outside document and data storage organizations that maintain PHI regardless of whether they access it;
- Personal health record vendors, or those that provide and manage personal health records on behalf of covered entities; and
- Financial institutions that offer services to healthcare providers, namely the ones that perform functions above and beyond typical remittance advice processing.
With electronic patient health information we make great gains in the coordination of care and patient care itself, but we also create opportunity for malice and abuse of ePHI. In fact, a study by the Office for Civil Rights concluded that 45 percent of healthcare providers and other covered entities had an average of five HIPAA data breaches during any given year, with two-thirds of incidents involving a business associate.
With this high incidence rate of patient data breaches, how long will it take for patients to lose confidence and trust in the new digital-healthcare environment where much of their interaction with the care process is online, eroding much of the gains and future opportunities for healthcare advancements? Security measures to protect ePHI had to be expanded and deepened.
The impact on healthcare providers as covered entities will be significant. As an example, the final HIPAA omnibus rule will greatly increase the number of business associate-vendors due to the expanded definition and the fact that providers will now review vendors with a greater level of scrutiny. Oversight is required with real demonstration of a comprehensive process including the documentation of the oversight policy and the actions taken. Oversight for some organizations previously meant sending a business associate survey to suppliers' sales representatives, who then signed off indicating they were not a business associate, and that was the end of it. This will not be acceptable under the new oversight requirements. Covered entities (healthcare providers, health systems and clearing houses) need to examine their vendor relationships and take the necessary steps to guarantee that their business partners are doing everything they can to protect PHI. This includes not only completing a business associate agreement, but requesting and obtaining HIPAA training policy, proof of employee training, HIPAA breach policy, HIPAA data and materials destruction policy and other relevant policies and procedures. This level of oversight is strongly recommended. Should a data breach occur involving a vendor's employees, and no other policy/procedure requests were communicated to the vendor, the covered entity is in a much weaker position to defend against allegation of lack of oversight or willful neglect.
On a basic level, all vendors will need to be reviewed by the covered entity to determine their status as a business associate under the new regulations. Hospitals and health systems should consider lowering their exposure to risk by implementing a vendor management program, which does much of this initial screening on the front end when onboarding a vendor or considering a vendor during the RFP process. These solutions create a formularized procedure for healthcare organizations and their partners to establish new contracts with rules to ensure that business associates meet the internal standards the hospital has set for itself, such as performing background checks on all employees with hospital access. But with some hospitals having relationships with more than several thousand vendors, a key component to any program involves using procurement cycle management software to employ the power of technology to provide scale and efficiency, giving supply chain managers an additional tool for vendor sourcing, contract workflow and archiving, credentialing and onboarding.
OCR will begin auditing providers and their vendors on Sept. 23, 2013, looking for those that do not meet the new HIPAA omnibus provisions. With hospitals facing $1.5 million in fines for noncompliance — not to mention the public relations fallout from a data breach — it is an issue that is not to be taken lightly.
Mike Paris is vice president of eCommerce and supply chain solutions for Vendormate, which helps providers and vendors meet the regulatory and compliance requirements that form the foundation of strategic partnerships.
More Articles on HIPAA Security:
The Real Causes of HIPAA Security Breaches: Bad IT System Design, Bad User Behavior, Bad Policies, Bad Operations
Meeting the HIPAA Omnibus Rule Compliance Deadline: What Providers Need to Know