HIPPA has classically only applied to healthcare providers, health plans and those that process health insurance claims. However, since its inception 1996, the healthcare community has grown and expanded in unexpected ways, necessitating new rules to ensure patient privacy and protection of their healthcare records. With the Department of Health and Human Services (HHS) reporting that some of the largest breaches of security involved business associates (BA), the Omnibus Rule was created. It holds all entities in association with a healthcare facility accountable for any breach in information. By extending many of the same requirements to a provider’s BA, HHS hopes these changes will enhance patient rights and protection as well as strengthen their ability to enforce HIPPA laws.
With the Omnibus Rule going into effect next month on September 23, 2013, it’s important to ensure that all departments have obtained the appropriate documentation for their BAs. This is especially necessary for the IT department since a recent article in Health Management Technology highlighted the ways that some businesses are getting around the ruling and leaving themselves and the provider exposed.
Companies that offer storage solutions are arguing that they are exempt from the new ruling due to encryption standards utilized in the storage of the data. The specifics relate to the encryption keys that are used to encrypt and decrypt the data. The companies are claiming that they are exempt from the Omnibus Rule since they do not have the decryption key, which is required to unlock the information they store for the hospital. However, they still possess the encrypted information on a hard drive.
Are they still liable?
I think so.
They are equally as liable as the hospital since they are in possession of the encrypted data, decryption key or not. After all, encryption is continuously evolving and changing as different flaws or problems are found with the current standard. Knowing this, how can any BA claim exception from liability? If your facility has any business entity or contractor that has not provided you with a signed BA agreement thus far, you may want to look for another vendor that is willing to sign one soon. Time is running out. Consider re-evaluating any contract with a BA stating that they are exempt. In the long run it may be cheaper to cancel your agreement with them instead of risking the penalties imposed against your facility due to any information breach.
Remember, identifying and understanding your vulnerabilities with this ruling will enable you to better prepare for September 23rd.