The $750,000 HIPAA settlement by Cancer Care Group in early September once again brought HIPAA and the HITECH Act into the spotlight. Although that case did not involve an outsourced vendor situation, it highlighted the consequences of not complying.
The 2015 cycle of compliance audits by the Office of Civil Rights (OCR) was supposed to ramp up their HIPAA privacy and security audit program for covered entities (CEs) and business associates (BAs). Thus far this has not happened.
In fact, the audit cycle has been postponed multiple times and it is still not clear exactly when the new program will happen; many believe it will only start in 2016.
In addition, there have been renewed concerns that a proposed regulation of the HITECH Act that seeks to provide healthcare consumers the right to learn of personal data disclosures, may come into force. This long-dormant HIPAA issue has not yet been clarified, but the implications could be significant.
Could Accounting Disclosure Be On The Cards Again?
“The OCR has a long list of priorities that it needs to look at. They have indicated that they are going to be considering this accounting disclosure but it is not top of the priority list. Rather the focus seems to be on providing guidance on patient access and on the use of cloud computing,” privacy attorney Adam Greene, a partner at Davis Wright Tremaine LLP in Washington, told Nearshore Americas.
Another regulation that they are looking at is the sharing of penalties from enforcement actions with harmed individuals. “So it is likely that they will look at those before the accounting disclosure regulation,” Greene said, adding that when the regulation is next put forward it is likely that it will be in the form of another round of discussions, rather than the final version of the regulation.
The thus far dormant accounting regulation may add additional requirements if it does eventually come into force. Bill Huber, Managing Director of Alsbridge, noted that it would be difficult to impose this requirement retroactively, as only data already being tracked could be reported accurately.
He added: “Moving forward, this simply becomes an additional reporting requirement, for which the additional costs of compliance would need to negotiated and allocated based upon which obligations are already defined within the contract and which would need to be added.”
Huber explained that providers who do not have the requisite tracking and reporting capability would need to acquire it, seek an exemption if possible, or potentially exit certain relationships or specific scope within relationships.
The onus on vendors then is to continue to ensure that patient health information is secure. Between September 2009 and September this year, there have been 1,338 breaches effecting 500 or more individuals, according to the Department of Health and Human Services’ Office of Civil Rights’ “wall of shame” website.
In a recent interview, Kate Borten, founder of the consulting firm The Marblehead Group, noted: “I believe many, if not most, breaches are still going undetected. And in spite of the HIPAA Omnibus Rule clarification on breach determination, some organizations continue to misinterpret security and privacy incidents and underreport.”
Greene advised vendors and clients to examine the details of HIPAA resolution agreements that “federal regulators are signing with covered entities for HIPAA non-compliance cases and data breaches,” in a recent article.
When vendor-client relationships cross borders, the issue becomes even more complex. “The perception is that a security breach in India is worse than one in Pittsburgh, but that is just silly thinking. While it is unlikely that OCR will choose an IT vendor in Venezuela to audit, it is important that the healthcare provider do an even more rigorous level of due diligence with a vendor in, for example, Venezuela,” said Kirk Nahra, Partner at Wiley Rein LLP.
Greene added that there is a strong argument that OCR will not be able to enforce HIPAA and HITECH on vendors outside of the US. He noted, though, that there are two types of audits that can be conducted: a desk audit, which looks only at documents, and an on-site audit. “An on-site audit of a foreign vendor is highly unlikely, but a desk audit is possible,” he said.
He added that even though cross-border enforcement is unlikely, vendors that want to service the healthcare sector in the USA, need to demonstrate that they are compliant in order to attract business. He believes that there will be increasing specialization among IT vendors to meet the increasingly specific client needs of the healthcare sector.
Despite the fact that the HITECH Act and HIPAA came into effect in 2013, there is still confusion and lack of understanding regarding requirements, according to some experts. Max Aulakh, President of Mafazo Digital Solutions, which works with organizations to address regulations and security issues such as HIPAA and PCI-DSS, said: “Business leaders today are missing how to navigate issues around HIPAA for outsourcing.”
Greene said that there is great disparity between the level of preparedness by BAs. “Some are entirely unprepared. Especially smaller entities and business associates where health information is not core to the business,” he said.
There is also confusion as to whether HIPAA and HITECH preclude the use of outsourced vendors. Greene emphasized that this is not the case.
Aulakh added that most vendors and clients are still not aware of the full implications of what the HITECH Act means. He emphasized that “it does not prevent outsourcing outright however it calls for management of appropriate risk management through different activities such as proactive vendor management, security policies supplemented by technical security controls.”
Aulakh cited the example of building an Electronic Medical Record (EMR) or another type of system that manages healthcare information. In such an example you may outsource the development of the system provided that it has no real patient information. He stressed the need to practice extreme caution by implementing a technical due diligence process.
The healthcare provider must ensure that the outsourced application development team performs and implements security measures surrounding secure software engineering. “In addition to that, there should be a configuration management and transition plan between the outsourced entity and the entity under HITECH regulation,” he said.