451 Research produced the article below, which is an excellent summary of recent changes to HIPAA — and a solid reminder of why it is so important to understand, and have faith in, the compliance measures in place with your data center services provider.
Fret not, for AIS customers are in good hands. Read more about our compliance levels here — or simply talk to us to find out all the many details of what we are doing to provide customer compliance support.
Emphasis in red added by me.
Brian Wood, VP Marketing
HIPAA final rule released: what it means for MTDC providers
On January 17, the US Department of Health and Human Services (HHS) issued the final modification to the HIPAA privacy, security, enforcement, and breach notification rules, which make sweeping changes to the regulatory environment for those vendors supporting healthcare information technology.
While the scope of the changes are massive – the HHS document is over 560 pages long – the impact for multi-tenant datacenter (MTDC) providers will come mainly from two broad contextual areas: the definition and liability of business associates (BA), and the broad definition of a data breach.
With these rule changes, it is key to understand that BAs are now directly subject to enforcement action from the HHS Office of Civil Rights (OCR), and subject to the significantly increased fines and penalties legislated by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
It is important that MTDC providers consider these changes within the ongoing context of the already established HIPAA Security Rule relating to administrative, physical and technical safeguards. This ruling indicates these existing practices related to protected health information (PHI) security should already be in place, and the changes related to BA definitions and clarifying what constitutes a breach must be viewed within the context of the HIPAA Security Rule as it extends to BAs.
Are MTDC providers ‘business associates’?
We have already looked at HIPAA compliance issues as they relate to MTDC providers. Central to the early analysis of the new, sweeping rule changes is the question of whether a MTDC provider is a business associate. Most interpretations of the HIPAA Security Rule indicate the conservative answer to that question must be yes, they are. Explanations of the rule note that a mail carrier, for example, is not a business associate because he or she is purely a temporary conduit of PHI.
When reading the definition, the rule defines a BA as any person or entity who, working on behalf of a covered entity, “creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management and repricing.” While that definition mostly speaks to the activities associated with managing healthcare IT, it is clear that MTDC providers receive PHI data within the providers’ storage systems, and may be involved with the subsequent transmission of such data.
Further clarification within the HIPAA Security Rule stipulate that subcontractors to BAs are themselves BAs as well, and this continues in a supply chain manner throughout organizations that are involved with the PHI data. Within this context and framework, MTDC vendors whose customers are handling PHI data need to consider themselves subject to the direct HIPAA enforcement that the new rules provide for, including the potential for direct fines and penalties in the event of a breach or other violation.
This is a change from previous understanding and treatment of BAs. In the past, they would only be indirectly subject to the HIPAA regulations, in a manner that most likely would be covered within terms and conditions set forth in contracts. At each level, from covered entities (CEs) to BAs (including subcontractors), the new rule calls for a Business Associate Agreement (BAA) to be in place between parties.
How has breach notification changed?
A second area of the rule changes that affect MTDC providers concerns PHI data breaches and the associated notification responsibility. BAs are now directly responsible, just as a CE would be, for data breaches, which include:
- Impermissible use or disclosure of PHI
- Failure to provide breach notification back to the CE
- Failure to provide access to a copy of electronic PHI to any of the covered entity, the individual or the individual’s designated party
- Failure to disclose PHI when required by the Secretary of the Department of Health and Human Services related to investigations or compliance reviews
- Failure to provide a detailed accounting of any disclosures
- Failures associated with the HIPAA Security Rule
The HHS stipulates different levels of notification depending on the scale of a breach; ‘large breaches’ are defined as those that affect 500 or more people. In the past, the standard of a breach was whether it caused a significant risk or harm; under the new rule, any impermissible use is a breach. Such casual viewing of PHI data might occur in the normal course of operational troubleshooting of storage systems where the PHI may be located. Certainly more egregious would be the intentional viewing of such data by support staff. As recommended by 451 Research and confirmed by one MTDC provider, Online Tech, both casual and intentional viewing can be easily prevented if the data is encrypted while stored. In the past, any suspected breach would trigger an analysis of the potential level of harm prior to a breach notification; under the new rules, no analysis is needed, because every impermissible use is, by definition, a breach. A BA can avoid this breach notification only if it can prove through a breach risk assessment that there is a low probability PHI has been compromised; an example of such a proof would include whether the data has been encrypted within the system.
What happens next?
The new rule becomes effective on March 26, and any organization will have 180 days to come into compliance by September 23. During this time CEs will be putting into place BAAs with all parties and subcontractors as defined under the new rule. Within the context of the business agreements between CEs and BAs, it would be wise for MTDC providers to understand – and perhaps establish policies for – how the HIPAA privacy and security rules will be followed.
Consider, for example, an item stipulated by HIPAA as ‘addressable’ – that is, not always required – data encryption. Depending on the nature of its services with the CE, an MTDC provider may not control whether data is encrypted or not; that is usually within the control of the party actually running any application software. For colocation services, it is unlikely that the MTDC provider would have set that control; within a managed hosting context, it is more likely to set a standard related to encryption. Within the context of cloud-based services and software as a service (SaaS), the vendor would likely be defining any encryption standards. From the MTDC perspective, it is absolutely to its benefit and protection that data be encrypted, and may be a stipulation the vendor would wish to make for any BAA. This prevents any casual impermissible use from occurring in the normal course of system management and maintenance.
As to risk assessments, CEs and BAs should recognize that this term is used within the context of these rules in two very different ways that should not be confused. Within the context of determining whether a breach which has occurred requires notification, a breach risk assessment considers (a) the nature and extent of the PHI data involved, (b) who the recipient of the data was, (c) was the PHI actually viewed by the recipient and (d) the extent to which the risk has been mitigated.
Under the existing provisions of the HIPAA Security Rule – 45 CFR 164.308(a)(1)(ii)(A) – a risk assessment has been required for CEs; under the new changes, such risk assessment is now also required for all BAs.
MTDC vendors across the mix of customers will deal with all types of sensitive, mission-critical data; conducting a formal risk assessment not only protects each vendor’s operational integrity, but can also be positioned as a valuable benefit for all customers. In addition to conducting the periodic risk assessment, it is incumbent on MTDC vendors to take appropriate steps to mitigate risks that the assessment identifies; such risks may be different depending on the nature of the applications or data involved, but for PHI data, the business risk to the MTDC vendor is frighteningly large. The HIPAA fines and penalties for violations that were stipulated under the HITECH Act can reach as high as $1.5 million per violation. One breach can easily wipe out multiple years of profits for smaller providers, leading to the very real potential of losing the business.
The 451 Take
In examining the new rules, we have spoken with multiple MTDC providers; each has raised the concern that these new rules make HIPAA a serious issue for the providers, with the direct impact of enforcement actions possible against them as BAs. With that in mind, we recommend that MTDC vendors that have healthcare customers do the following:
- Ensure that BAAs are in place with both healthcare customers and subcontractors that may have access to PHI data, and stipulate that PHI data should be encrypted in storage and in flight.
- Conduct a formal risk assessment, and take action on any findings from the assessment to mitigate risks that may lead to PHI breaches.
- Ensure that business policies and practices include the periodic review of risks, and ensure the ongoing employee training and awareness of associated policies keep staff aware of the business requirements.
The expanded scope of the HIPAA privacy and security rules cannot be avoided by MTDC vendors if they serve healthcare customers. It is a far better approach to get ahead of these new issues over the next six months than to wait for something bad to happen. Ignorance of the law is never a defense, and the financial penalties are simply too high to not take these rule changes seriously. That is why the penalties were increased, so that the serious responsibility of keeping PHI private and secure is understood and met by all parties associated with healthcare information technology.