” Business Associates Get HIPAA Alert” – This post by Rebecca Herold and other privacy experts hit the highlights of this major change here.
We add specifics for brokers below.
The End of the Status Quo
I have been baffled at the lack of compliance I am seeing the market from brokers of all sizes.
It seems that many of you were confused by HITECH and others simply do not believe it will be enforced and many simply were playing Ostrich trying to ignore the law.
Yesterday HHS released clarifications (243 pages of mind numbing reading) of HIPAA HITECH that should end any speculation for a broker what the expectations, requirements and penalties for non compliance are.
We have pulled out relevant quotes for you to review but the bottom line is that your are fully accountable for compliance in the protection of PHI in your possession in any form and for the compliance of your employees and any subcontractors you might have that touch PHI. Penalties for non compliance are step and can be both civil and criminal and will be enforced.
Lets start with what HITECH is really all about…
HITECH is About Healthcare Reform and Cost Containment
“.. Department of Health and Human Services (HHS or The Department) guiding principles is that the benefits of health IT can only be fully realized if patients and providers are confident that electronic health information is kept private and secure. HHS’s goal…is to improve the nation’s health care system by enabling health information to follow the patient wherever and whenever it is needed…to ensure that this electronic exchange of health information is built on a foundation of privacy, and security.”
Comment – This is about healthcare reform and creating an electronic infrastructure that can be trusted like we trust the ATM, banking and credit card networks and will drive quality up and costs down more than almost anything else that can be done in the short (3-5 yr) term
Commitment
“Administration-wide commitment to make sure no one has access to your personal information unless you want them to… that supports building Americans’ rights to consent and control over PHI into electronic health systems and data exchange.”
Comment – these rules are here to stay and states also are creating their own
Business Associates = Covered Entities = Same Rules = Same Penalties
“The proposed rule would extend liability for failure to comply with the Privacy and Security Rules directly to business associates and business associate subcontractors in a manner similar to how they now apply to covered entities. The proposed rule would subject business associates to many of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Security Rule and to some of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Privacy Rule.”
Comment – For the system to work ALL players – large or small- have to be held accountable to the same standards. If there were any questions as to whether BA’s were subject to the same rules as carriers this ends that.
BA=BA Subcontractors=Same Rules = Same Penalties (NEW)
“Additionally, business associates would also be required to obtain satisfactory assurances in the form of a business associate agreement from subcontractors that the subcontractors will safeguard any protected health information in their possession. If the business associate learns of a pattern of activity or practice of a subcontractor that constitutes a material breach or violation of the contract, the business associate would be required to make reasonable attempts to repair the breach or correct the violation. If unsuccessful, the business associate would be required to terminate the contract, if feasible. In addition, a business associate would be required to furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations.”
Comment – Just like a carrier is ultimately on the hook for BA behavior, you are on the hook for anyone you work with using PHI being compliant.
What Compliance Means:
“We assume that business associates in compliance with their contracts would have already:
- designated personnel to be responsible for
- formulating the organization’s
- privacy and
- security policies,
- performed a risk analysis, and
- invested in hardware and software to prevent and monitor for
- internal and
- external breaches of protected health information.”
Contractual Compliance Accountability
“We expect that most business associates make a good-faith effort to follow the terms of their contracts and comply with current security and privacy standards.”
Comment – If you have signed BA agreements with your clients and insurers your compliance is assumed and expected.
Legal and Financial Consequences Clarified
“For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards.”
Comment – Failure to be compliance to meet your contractual obligations are subject to both criminal and civil penalties
Expectations for Getting Compliant
Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.
Comment – Clear direction that getting compliant is NOT an option
No “Turtle” Defense
“Moreover, a covered entity or business associate cannot assert an affirmative defense associated with its “lack of knowledge” if such lack of knowledge has resulted from its failure to inform itself about compliance obligations or to investigate received complaints or other information indicating likely noncompliance.”
Comment – Hiding in your shell. i.e. Ignorance real or pretended will not be defense against criminal and civil penalties
You Own Your Organization’s Behavior
“A business associate is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.”
Comment – You own any issues coming out of your employees behavior so train them well.
Specific Rules for Security and Privacy
“A covered entity or business associate must comply with the applicable standards, implementation specifications, and requirements of this subpart with respect to electronic protected health information of a covered entity.”
Comment – No option in meeting the standards
Administrative Standards Clarified
“Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.”
” A covered entity or business associate must, in accordance with § 164.306:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the coveredentity or business associate.
(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.
Comment – Clarity!
Physical Safeguards Clarified
Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
Comment – Clarity!
Security Standards Apply to BA’s Just Like CE’s
Ҥ 164.306 Security standards: General rules.
(a) General requirements. Covered entities and business associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.”
Comment – Clarity!
New Privacy Website Launched
http://www.hhs.gov/healthprivacy/index.html
Comment – all the details are and will be here
Action Steps
Your business is dependent upon trust and relationships and if a major breach occurs due to your lack of compliance your business and livelihood will be gone.
Getting your house in order with a risk assessment, the proper policies and procedures and the encryption needed to protect PHI is not that hard or expensive with our Compliance Radar and RadarMail 360 solutions.
Let us help you….
User error is 100% of the problems here but to help minimize the issues for people we have implemented the following for our RadarMail 360 shared portal and all of our client’s branded portals if they have authorized it.
Bottom line is that most standard policies do not cover cyber losses and 
We have been writing for months about the needs that all brokers have under HIPAA HITECH to get compliant and encrypt their data at rest and in motion (email). Here is a real breach, involving the Blues here in GA that has caused financial harm to a policyholder:
Benefits Broker Radar 