In January the Department of Health and Human Services (HHS) released the much-awaited final updates to the HIPAA Security, Privacy and Enforcement Rules. These updates, known as the “Omnibus Rule” were required by the HITECH Act and have been in proposal form since 2010. The new law incorporates some major changes in the HIPAA security and privacy rules, including a new focus on the risk of third party vendors (aka Business Associates).
300,000 Business Associates Impacted
Perhaps the most sweeping change was the extension of HIPAA to “make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.” In short, Business Associates (BA) that process electronic health information (ePHI) are now required to conform to the same data protection requirements as covered entities (CA). In addition to the compliance requirements, the legal liability of HIPAA violations was also extended to the vendors.
According to HHS, an estimated 250,000 to 400,000 new organizations will be required to comply with HIPAA security requirements. This represents a substantial number of small and medium-sized businesses that are suddenly faced with the burden of compliance.
In addition to this compliance requirement on the vendors, each covered entity (CA) will be required to perform due-diligence in screening, managing and assessing third party vendors. As usual, a key part of this validation will be the effectiveness of the written information security policies of the business associate.
§ 164.308 Administrative safeguards.
“(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.”
The Cost of Compliance – Are they serious?
Here’s the good news – if you believe HHS, you can charge these new compliance efforts to your corporate credit card. It its required economic impact analysis, HHS estimates the total impact of this new compliance effort of business associates to be between 22 and 113 million. If you assume the highest estimate for 400,000 organizations – this works out to be roughly $250 per organization. (Are they serious?) In the real world, these costs will likely be much higher. A robust information security program that can be validated by a third party is not a small effort. At Information Shield we are doing our part by offering cost-effective solutions to help you establish and document your written information security program.
Solutions for the Human Side of Security
HIPAA Compliance should not just be a documentation exercise. If your organization is going to make the effort, why not create a sound information security program that actually reduces risk? Information Shield solutions help you accomplish this sensible goal. We have everything you need to manage the “people” side of information security and privacy: quality information security policies, security awareness training and compliance management. You can spend millions of dollars on technical security (firewalls, antivirus, spam filtering, IDS) and still have a breach with ONE human mistake.