While most folks have not taken the time to read the 561-page HIPAA amendment regulation that goes into effect later this month, there is one huge issue lurking there for hospitals and physicians that use on-line services that digitally transfer, use, or store personal health information (PHI). The new regulations make these folks Business Associates, even if they are based in Mongolia or anywhere else in the world. And that means healthcare providers MUST have written Business Associate Agreements (BAA) with these services, and the services have to agree to comply with US regulations, including agreeing to Office of Civil Rights (OCR) inspections.
At this point, I should also point out that the regulation also makes new BAAs mandatory for all of the BA for any provider, not just the online providers. Most of these new BAs don’t have a clue that they have just been slapped with HIPAA compliance or what that means. The online BAs are even bigger risks, however, because most providers don’t even realize that the nifty, spiffy online service is covered by HIPAA. They sign up online, click the “I Agree” button, and they are have the service and are happy. Unfortunately, OCR won’t be happy if you don’t have a legally compliant BAA.
Some folks make the mistake of assuming that since the “cloud” or other service is encrypted, that is all they have to worry about. While encryption may save you from a data breach compliance issue, it does not take care of all of the HIPAA compliance issues. This service is a BA with or without a BAA, but they are likely to be operating outside of HIPAA compliance if there is no BA. If there is a violation at the BA level, it is likely to be the BA that gets cited and fined, but OCR will cite and fine the provider for not having a BAA and for not assuring that the BA was operating in compliance with HIPAA.
I also foresee an issue with some services that reside on foreign shores. Will they dutifully allow OCR to sift through their records and servers and turn over tons of records to US regulators? Maybe, or just maybe they will “flip off” OCR as some foreign pain in the posterior. If the latter is the case, we have seen how OCR has jacked up fines before — for failure to cooperate. Since the BA is off-shore, it is my prediction that when they fail to cooperate with the OCR, the on-shore provider will take the brunt of the feds’ displeasure in the form of maximum fines (which are $1.5 million per year for EACH type of violation).
For those of you who hate reading any more regulations than you have to, my daughter is publishing the revised rules along with the HIPAA audit protocol for each in a new book that is scheduled for release by the end of March 2013. I will post information as soon as it makes its appearance on Amazon, and I will make sure readers of this blog and my newsletter get a chance to get it at a substantial discount.
Your points are on the money. Many healthcare law firms are advising that CEs have an active program for managing their BAs which includes making sure that the BAs have BAAs with their subs.
We are just releasing a new service called BA Tracker that meets these needs. I would be happy to show it to anyone interested.
As one who does consulting for Security and Risk Assessments – what do we tell the hospitals we deal with