- Since the HIPAA omnibus effective date, Sept. 23, is about a month and a half away, covered entities and business associates are preparing themselves, respectively, to be compliant in the eyes of the Office for Civil Rights (OCR).
Law firms are beginning to see an uptick in conversation with healthcare organizations and vendors to ensure that if and when OCR pays a visit in 2014, they fully understand their responsibilities and, nearly as importantly, have their compliance efforts documented. Drinker, Biddle and Realth partner Jennifer Breuer and senior advisor David Mayer (former senior advisor for OCR compliance and enforcement) told HealthITSecurity.com that some of their clients have begun to update documents and confirm that they’ve accomplished tasks such as updating notices of privacy practices.
Which of your clients are affected by the HIPAA omnibus rule? What are you seeing out in the field?
Breuer: We work with both covered entities and business associates in a variety of different capacities. [It ranges from] work with EHR vendors as well as companies that provide dietary services to hospitals.
From our standpoint, most organizations that were covered entities that we work with had been fairly HIPAA-compliant before the omnibus rule came into effect. They certainly had notices of privacy practices and business associate agreements (BAAs) in place. As for whether every “i” was dotted is another question, but I know they had them.
Now we’re seeing a lot of activity in trying to provide those and ensure that they are up to date. We’re reviewing a lot of forms and organizations are asking if they have to update those forms now and wondering how much time they have. The sheer magnitude for big healthcare organizations in terms of the contracting process and making sure that a new BAA entails includes everyone knowing exactly which contracts are already put in place. That is a big push right now.
How are the BAs you work with being affected?
Breuer: With respect to covered entities, it’s not so much that there’s wholesale change as much as there’s tweaks here and there. So [the ones we work with] aren’t really concerned with compliance. However, with respect to BAs, it’s a whole new world.
We’re seeing a lot of organizations that purport or want to work in the healthcare industry, but when you push back on them with a BAA, they won’t want to sign it. Or they’ll say “we’re happy to sign this agreement, but you have to tell us what it means.” Then, of course we get concerns with the covered entity side that they’re not sure themselves what a BA means. And yet they’re obligated by the law to know it means because they don’t want to take on the vendor’s compliance responsibilities for them and they may be afraid enough of their own information to not use them as vendors if they don’t know their own obligations.
Healthcare organizations have real responsibilities for contractors and subcontractors that they choose, so that’s something they may need to look at a bit more closely than they had in the past.
Mayer: Business associates, now that this is a direct liability, are examining their responsibilities much more carefully than they had previously.
In looking at the recent Oregon Health and Science University (OHSU) breach involving not having a BAA with Google, what’s the current landscape with cloud providers and BAAs?
Breuer: I don’t know exactly what Google’s policy is now, but I know for a long time it wouldn’t sign a BAA agreement and neither would Microsoft, which now as one with Office 365 and they won’t vary from the particulars of their own contract. It’s very clear from the new rule that cloud service providers are BAs, and that’s something to be concerned about. Historically, there was an argument to be made that if data was encrypted in the cloud, while there still may be vendor responsibility to secure the cloud from a business perspective beyond HIPAA, at least you’re in a safe harbor position where there’s no disclosure needed from a breach notification standpoint. I don’t know if that’s always true – that information is protected in the cloud.
The answer right now is that BAs see enough other business out there where they don’t have to take on that risk. If they’re going to be a healthcare service provider, they’re going to have to think about that specifically. Companies didn’t think about it as much in the early days of cloud computing. There seems to be enough data out there where they don’t need healthcare.
Mayer: The nature of your agreement with the service provider is also important because cloud services are provided in a variety of ways. Covered entities and BAs, when negotiating cloud services, are talking about not sharing a server for certain reasons and that the data must reside in a certain place. It’s all about location.