In the first part of this 2-part blog, we saw the update about the HIPAA Omnibus Rule and the deadline for compliance (September 23rd, 2013). Now, let’s analyze the before & after of this new rule, and if it really applies to you. (Check out the examples given for better understanding.)

The Scene Before HIPAA Omnibus…
Before this law was enacted, it was the responsibility of healthcare providers (hospitals, clearinghouses, insurance companies, etc.) to report to HHS about any breach into the protected health information (PHI) that they store. And they had to comply with the detailed HIPAA Privacy Rule and HIPAA Security Rule in order to show that the PHI had been properly safeguarded, and not been exposed or manipulated.

The business associates, who help these healthcare providers to do their job, did not have such an obligation. Business associates were answerable only to the healthcare providers that they worked for. The healthcare providers stipulated via a contract that these associates should have necessary security protocols and technologies in place to protect the PHI they handled. Never was a business associate liable to penalties for being non-compliant.

The Scene After HIPAA Omnibus…
Now, the scene is different. The new law clearly states that the “business associates” of healthcare entities should directly report to HHS in the event of a PHI breach! It is also mandatory for business associates to comply with HIPAA Security Rule and HIPAA Privacy Rule, which requires installation of proper safeguards as prescribed by those stringent rules. The rules also prescribe the procedures to be followed in the event of a breach and how the breach should be notified. Now, business associates have to follow all these guidelines. Any noncompliance would be treated with harsh penalties.

Most importantly, the Omnibus Rule has redefined the term business associate and broadened its scope. With this new definition, several organizations that are indirectly associated with a healthcare provider too fall under the ambit of HIPAA regulations.

For more details: HHS News Release

Business Associates: the new meaning, your possible new identity & responsibility
The new law clearly defines the criteria for “healthcare business associates” to also include organizations that might not create or manage PHI, but might have to access it for some reason or maintain it:

A business associate is generally a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA-covered entity.

Then, the rule goes on to define when an organization that just houses or transmits PHI becomes a business associate. It states that any such organization, if accesses PHI routinely, then it is a business associate.

Based on that, if you are…

  1. A document storage house which merely houses PHI, then you are business associate, as you are maintaining PHI.
  2. A courier working for a covered entity, you have no need to worry. You are not a business associate, though you are transmitting PHI, as you only serve as conduit that never really accessed information – not even infrequently.
Hope that explains the difference.

Then there are obligations incurred via transitive relations: the subcontractors
The new amendments demand compliance obligations from subcontractors, who may not previously have viewed themselves as business associates. Now, these subcontractors must directly comply with HIPAA Security and Privacy Rules. Let’s clarify this with a few examples.

Example 1: You are an IT solutions provider.
Assume an agency that maintains the PHI of a network of hospitals in a community. Naturally, this agency is a healthcare business associate. Now, if this company contracts your service, say to build some online portal to view and update PHI, then you also become a “business associate”. You should comply with HIPAA. (Here, you are party to the circle that has “accessed” and also “maintained” PHI, even though for a completely different reason.)

Example 2: You are a BPO or a call center.
Assume a business associate provides telephonic support to patients of a group of hospitals, and answers their questions and clarifies their healthcare doubts. It is loaded with too much of calls. It decides to contract your service to help answer patients’ questions, via phone or email. And you access their PHI to answer their queries. Then you become a business associate and have to comply with HIPAA.

So, what are you? Are you a business associate? If so, what should you do now?

What if you discover that you are a business associate?

Install enough safeguards (as prescribed by HIPAA Security Rule).

  1. Prepare your IT. Get your IAM basics right.
  2. Perfect the access controls in your organization. Better still, define roles and implement role based access.
  3. Access Governance & Auditing: Most importantly, implement a sound auditing system, which will track every access in the organization.
  4. Above all make sure, your staff is not inadvertently leaking PHI via emails! Audit email infrastructure, please. Better still, archive email communications.
  5. Train the staff about new HIPAA disclosure and notification rules. For more details…

You don’t want all this fuss. Call us. ManageEngine has quite an array of Windows Management solutions that help you out with your IAM and security goals, and make you compliant with any regulatory law.

For more details about IAM, IT Security, and Compliance tools:

AD360: An end-to-end integrated IAM solution
ADAudit Plus: Auditing solution for Active Directory, File Server, NetApp Filers
ADManager Plus: Active Directory Management & Reporting
Exchange Reporter Plus: Exchange Reporting & Auditing Software

We will continue posting more information related to the new HIPAA, how you can comply with it, and how our tools can help you. Stay tuned.