Healthcare Information Security

HIPAA and Compliance News

Are HIPAA business associates aware of their obligations?

By Patrick Ouellette

- The Sept. 23 HIPAA Omnibus Rule deadline is closing in, but Coalfire’s “The Final Omnibus Rule – Awareness and Compliance among Healthcare Business Associates” report was released today and some organizations may not be as prepared as they hoped.

Coalfire, an IT governance, risk and compliance consultant, produced results that may have been relatively expected, but there were still some HIPAA compliance trends worth noting. Here were some numbers from the report:

- Only 40 percent of respondents were aware of their responsibilities as a business associate (BA) under the omnibus Rule, as 28 percent were somewhat aware and another 32 percent were unaware.

- 64 percent have assessed their HIPAA omnibus compliance, while 28 percent were unsure and 16 percent hadn’t performed an assessment.

- A mere 44 percent believe their organization is HIPAA omnibus compliant, another 24 percent are unsure and 32 percent are partially compliant.

Andrew Hicks, Coalfire’s National Healthcare Practice Lead and author of the report, spoke with about Coalfire’s findings and how his organization works with covered entities, BAs and subcontractors in becoming HIPAA compliant.

Hicks believes that just like when the HIPAA Privacy and Security rules first came out in 1996 and there was a very slow migration toward being HIPAA compliant, omnibus compliance will take some time. “We’re going to see a lot of business associates (BAs) and subcontractors that are on the fence on whether they actually need to comply with HIPAA,” Hicks said. “I think it will take some time and significant penalties to really increase awareness and get every on board compliance-wise.”

Hicks went on to say that the biggest thing Coalfire wants to do from a scoping and overall delivery standpoint is engage with the customer and have a solid understanding of what their protected health information (PHI) environment looks like. Coalfire would ask a customer where the PHI lives in their infrastructure and some say “well, some may be here and some may be there.” Then they may get on site and figure out they’re actually emailing PHI and it’s on employees’ mobile devices and backup tapes.

We’re trying to figure out what the biggest HIPAA footprint for an organization and once we’ve done that, we look at policies and procedures and compare to past risk assessments. We offer a few different services. One is a high-level gap assessment where there’s minimal testing and we’ll more or less take a healthcare organization’s word on what controls they have in place. In our full compliance assessments, we dive much deeper into testing the controls that organizations say they have in place and ensuring they’re effective.

Dealing with technical issues and downstream data trends

Hicks and Coalfire consistently grapple with whether organizations are consistently encrypting their PHI, which is problematic given the volume of unencrypted laptops stolen. He maintains that unless an organization is dealing with technical implications in which they can’t encrypt PHI because of legacy system complications, Coalfire highly advises that organizations encrypt their data. “Some of [the reason organizations don’t encrypt their data] are related to funding, but there are also technical implications where maybe your application won’t talk to your legacy database if it’s encrypted,” he said. “And some organizations just assume the risk because they don’t have the resources or expertise to encrypt.”

Many organizations don’t even know that they need to comply and what they need to do, but if they touch PHI they will still be considered subcontractor of a BA under the HIPAA omnibus rule. However, Hicks maintains that some of the fundamental things that a covered entity, BA or subcontractor need to do – risk assessments, encryption, training, policies and procedures, knowing where all PHI lives –are all fundamental things that even the best of covered entities still struggle with.

Another area of importance is vendor management under the HIPAA omnibus rule, which calls for organizations to proactively engage with their business associates (BAs). Organizations are looking for a vendor management tool to ensure their BA’s HIPAA compliance because now they’re on the hook for ensuring a BA’s PHI is safe.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks