The Omnibus Final Rule of the Health Insurance Portability and Accountability Act came into effect on March 26, after a long period of amendments, deliveration and adjustments.
The main aim of the new legislation is to amend the HIPAA Privacy and Security Rules and breach notification rules, with this major amendment often labelled as “The HIPAA Mega Rule”. The new rules apply to all HIPAA covered bodies and the Department of Health and Human Services will be enforcing the new rules; its Office for Civil Rights is due to begin a serious of random audits to check for compliance later in 2013.
The new rules apply not only to healthcare groups but also their business associates. Under the final rule the definition of business associate has also been amended, and now includes any supplier of a service that has contact with electronic protected health information (ePHI). Specifically this means any body that “creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity”, and they must now agree to abide by the HIPAA Omnibus final rule.
This means that data centers and suppliers of cloud services servicing the healthcare industry or any HIPAA-covered entity are now including in HIPAA regulations if they have any customers or provide services that involve working with electronic protected health information.
A large amount of hosting providers and companies offering cloud solutions to healthcare organizations have already completed business associate agreements to ensure HIPAA compliance, even though the legislation did not specially call for it. The Final Rule defines exactly who is now covered, and states that even if no contact is maintained with the data, security rules must be complied with. Data storage companies are therefore also included.
Business associates using subcontractors to supply part of the service, or help with other company functions that bring them into contact with ePHI data, or the servers on which the data is stored, are also covered under this legislation. If a subcontractor is required to maintain, receive, create, analyze or broadcast ePHI data, they must also abide by HIPPA privacy and security rules.
A failure to keep the appropriate data security standards in force and comply with all HIPAA requirements will see the BA’s concerned liable to be fined directly by the OCR, and audits are not thought to be restricted to healthcare organizations. Heavy financial penalties will be applicable if non-compliance issues are identified.
According to the new Omnibus Rule, cloud hosting providers and data storage firms, together with their subcontractors will be liable for any of the following data security and privacy issues, even if they have not previously completed a business associate agreement.
- Any disclosure of ePHI to an unauthorized person or group
- ePHI being used improperly
- Not holding a current, signed business associate agreement with any subcontractors who work with ePHI data
- Appropriate security controls to restrict access to ePHI not in place
- In the event of a security breach a failure to issue a breach notification to the covered entity
- PHI to the HHS, or entity stipulated by the HHS, did not have its disclosed
- Past disclosures of PHI to other individuals or bodies not detailed
- Failure to provide access to the legitimate owner of the data upon written request.
Suppliers of cloud services can expect to be subjected to stricter checks on how data is stored and transmitted, as well as suppliers of services to those companies. Violations of HIPAA regulation now carry stiffer fines with a maximum of $1.5 million in penalties applicable for data breaches, disclosures and serious violations of the new rule, and between $150 and $50,000 per single violation. The deadline to adhere with it is Sept 23, 2013.
One of the most efficient and safest methods of ensuring HIPAA compliance when providing cloud services is to divide the business and create specific sections which adhere with all HIPAA regulations. This makes it easier to provide individual client services and ensures that any HIPAA-covered client can be guaranteed of HIPAA compliance.
Stricter data security policies can be easily applied to all hardware and software utilized in that section of the facility and the workforce can receive proper training. Data centers and cloud service suppliers should also discuss developing their own business associate agreement to use for subcontractors, which should clearly state where who holds liability in cases of accidental or deliberate disclosure of data.