{"id":2231,"date":"2013-01-21T00:00:00","date_gmt":"2013-01-21T00:00:00","guid":{"rendered":"http:\/\/otava.test\/hipaa-omnibus-rule-narrows-the-hipaa-hosting-market\/"},"modified":"2013-01-21T00:00:00","modified_gmt":"2013-01-21T00:00:00","slug":"hipaa-omnibus-rule-narrows-the-hipaa-hosting-market","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/hipaa-omnibus-rule-narrows-the-hipaa-hosting-market\/","title":{"rendered":"HIPAA Omnibus Rule Narrows the HIPAA Hosting Market"},"content":{"rendered":"

The final HIPAA omnibus rule released late last week holds business associates (BAs) and subcontractors (the BA of a business associate) directly liable for compliance with the HIPAA rules, and sets a deadline for compliance with the new modifications. There\u2019s some cushion time though – the final rule isn\u2019t officially effective until March 26, and even after the date, covered entities and business associates of all sizes will have 180 days to be in compliance. According to HealthDataManagement.com, covered entities will have one year from the compliance date to modify business associate agreements to match the new requirements.<\/p>\n

This may not be enough time for BAs and subcontractors to achieve compliance with the modified rules, especially for those that were never initially in compliance. However, this works two-fold to 1) weed out quality HIPAA hosting<\/a> providers that focus on the healthcare compliance market from the rest; 2) increase the ease of covered entities in securing patient data and maintaining patient privacy by limiting the hosting provider market.<\/p>\n

Compliance is time-consuming and expensive, but the service providers that are willing and able to make that commitment will fare well in the healthcare market, especially since covered entities and BAs are now legally liable for the acts of their subcontractors and therefore monetarily motivated to have a vested interest in the security practices of their hosting providers.<\/p>\n

The Medical Group Management Association (MGMA) issued their own comments on the modifications – they\u2019ve voiced concerns over the short time frames alloted to get up to speed, as reported by HealthDataManagement.com:<\/p>\n

\n

We are strongly supportive of comprehensive privacy and security standards aimed at avoiding unauthorized use or disclosure of patient health information. However, it is critical that the safeguards mandated by the government be practical, flexible and affordable for the broad spectrum of medical practices.<\/p>\n

We are concerned about the ability of practices to implement the changes associated with this final rule, including the requirement to modify and reissue notices of privacy practices and modify business associate agreements–within the short time frames allotted. We will continue to monitor our member practices to ensure that administrative burdens imposed by the government do not hinder the necessary flow of health information for patient treatment, payment and healthcare operations purposes.<\/p>\n<\/blockquote>\n

Considering the definition of a BA has expanded to include patient safety organizations, health information organizations, e-prescribing gateways, providers of data transmission services for protected health information to a covered entity, etc., the rule comes as a serious wake-up call to providers that haven\u2019t done their due diligence in the security arena. A compromise has to be made between the degree of federally ordered \u2018administrative burdens\u2019 and the need to tighten up patient data security.<\/p>\n

So how do you start the arduous process of establishing a culture of security in your organization? Conducting a HIPAA risk analysis is the first step toward implementing the HIPAA Security Rule<\/a> safeguards. The first mandatory component of the nine outlined by the HHS is the scope of the analysis; meaning any potential risks and vulnerabilities to the privacy, availability and integrity of ePHI. For a full list of the risk analysis components, read What\u2019s in a HIPAA Risk Analysis?<\/a><\/p>\n

Other best practices include:<\/p>\n