Early this month, the U.S. Department of Health and Human Services unveiled the long-awaited omnibus final rulemaking for Health Insurance Portability and Accountability Act of 1996, the act commonly known by its acronym, HIPAA. In a way, the implications couldn’t be clearer for healthcare IT services. In another sense, however, there are still plenty of questions for healthcare companies and their managed IT services partners to ponder.
The modified rules, which clocked in at 563 pages, covered a number of issues aimed at strengthening individuals’ privacy and security protections. Chief among these issues, from a provider perspective, is this development: Cloud vendors definitely fall under HIPAA’s purview. What that means for all business associates and subcontractors: You are now directly liable for violations of HIPAA, with new, stronger and stiffer penalties in place.
Cloud Services Now Under Direct Regulation
The issue of cloud vendors and their relationship to HIPAA has been debated extensively prior to the rules’ release; indeed many expected HHS to clarify their standing. According to a recent article in Government Information Security,
Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, told a panel discussion on cloud that all business associates with access to patient data must comply with the privacy and security rules. “That brings cloud services under direct regulations of HIPAA,” the publication quoted her as saying.
Still, having the final rules pushed out provides a measure of certainty that the market had been lacking. The rules, for instance, note that business associates and subcontractors are directly liable for violations of applicable HIPAA privacy, security and breach notification rules, according to analysis by Pepper Hamilton LLP.
“This direct liability is in addition to contractual liability under business associate agreements,” according to Pepper Hamilton. “In discussing the modifications to the Security Rule requirements, HHS notes that as business associates, and their subcontractors, are already contractually obligated to comply with these requirements, compliance will only require ‘modest improvements.’”
Vendor Agreements Will Need to be Amended
Bradley Arant Boult Cummings says that most business associate agreements likely will need to be amended under the new rules, including related activities such as marketing and fundraising. It advises that: “Templates for business associates agreements, notices of privacy practices, marketing authorizations and other forms will need to be refined and updated to include certain, specified information.”
The rules also introduce a new, tiered penalty structure. Fines have been increased to as much as $50,000 for “willful neglect” of information without correction, and $1.5 million for multiple violations of identical provisions. In short, the law will be enforced far more aggressively, Marcy Wilder, director of the global privacy and information management practice for Washington, D.C.-based law firm Hogan Lovells, told FierceHealthIT.
The new rules “dramatically increased the ability of HHS to impose monetary penalties. They also said that they expect HHS, when there is willful neglect involved in a violation, will not focus on informal resolution needs, but rather will take formal action,” said Wilder, former Deputy General Counsel for HHS, who served as the lead attorney in the development of HIPAA privacy regulations.
Some Uncertainty Remains: What Constitutes a Breach?
Despite its length, the omnibus ruling leaves some thorny issues vague enough to leave room for interpretation. Bob Belfort, a healthcare lawyer at Menatt, Phelps & Phillips, told Healthcare IT News that privacy officers are still going to face tough calls each time a laptop is lost or stolen.
“There are two changes there,” Belfort told Healthcare IT News. “First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”
Belfort says the best defense for healthcare companies is to ensure their IT services employ state-of-the-art security practices. “The best defense against breaches involving portable devices continues to be encryption, which still is a basis for not having to do breach notification,” he says. “The percentage of organizations effectively encrypting their portable devices is growing but it’s still not at the level where it should be.”