3 Steps to Avoid a $1.5M HIPAA Violation

Other Posts
May 14, 2013

New HIPAA compliance requirements for healthcare IT vendors could result in $1.5 million in security violations if vendors do not sign a Business Associate Agreement (BAA) with customers. Effective March 26, 2013, the HIPAA Omnibus Rule governing data security puts more responsibility on IT vendors, or “business associates” according to HIPAA, to secure Protected Health Information (PHI) when under a vendor’s control. Previously, covered entities, such as healthcare providers, hospitals, clinics, and insurers, were mostly responsible for complying with HIPAA privacy and security regulations. Now, vendors, including cloud storage and service providers, who maintain, store, create, receive or transmit PHI are also directly accountable for security breaches and liable for HIPAA compliance requirements.

According to the U.S. Department of Health & Human Services’ (HHS) press release on the HIPAA Omnibus Rule back in January 2013, some of the largest breaches reported to HHS have involved business associates. Because much of the healthcare market is going mobile with cloud capabilities, the omnibus ruling holds an immense weight on vendors’ shoulders. Here are three steps vendors can take in order to avoid a costly security oversight:

  1. Even if your healthcare customers have not asked you to sign a BAA in the past, now is the time for a discussion. Covered Entities that choose not to sign a BAA are at serious risk, but vendors can mitigate that risk by providing the necessary protections regardless of a signed BAA or not (Covered Entities are still required to obtain ‘satisfactory assurances’ from their Business Associates). If your organization already has the tools in place to help customers comply, it’s much easier to bring them on board to actually sign a BAA. It’s also to your advantage if you can prove compliancy if the HHS decides to audit you.
  2. Your subcontractors are liable, which means you are liable. Covered Entities are not the only ones required to obtain ‘satisfactory assurances,’ you are required to get them from your subcontractors as well. It is crucial that your subcontractors’ responsibilities are precise and that they are meeting and enforcing all compliance regulations with their own customers, or the risk is on you if a security breach should occur.
  3. Vendor agreements and accountability should be transparent. Providing clarity and straightforward terms with your customers and your subcontractors will ensure the greatest safety against any type of PHI security mishaps. Articulating your technical requirements to your customers may be challenging but worth the time and effort for them to fully understand their responsibilities and yours. Elucidating specific responsibilities for subcontractors is a must to ensure HIPAA compliance success.

Healthcare IT vendors have a 180-day period beyond the effective March 26 date before compliance regulations must be met. Given the complexity of this new omnibus rule, vendors should become compliant sooner rather than later…and if they don’t, they better invest in a good legal department.

For more information on how security and privacy are impacting the healthcare market and where vendor opportunities exist, check out our Business Process Automation Study for Healthcare.

More blogs from

2016 InfoTrends, Inc.

WordPress Appliance - Powered by TurnKey Linux