Take, for example, the implementa- tion specifi cation of Emergency Access Procedure within the HIPAA Security Rule. T e purpose of this provision is to ensure that covered entities have proce- dures in place to access ePHI outside of normal operational circumstances. It is incumbent upon the covered entities to defi ne which kind of situations would require emergency access; it’s implied that a service provider who maintained ePHI on behalf of a covered entity or business associate is also responsible for accommodating these situations, regardless of whether the ePHI is en- crypted or not.
Under the new tiered-penalty structure, penalties for repeated willful neglect can be as high as $1.5 million per violation.
Another example involves business continuity and disaster recovery as required by the HIPAA Security Rule’s disaster recovery plan, emergency mode operation plan and contingency operations implementation specifi cations. Service providers must routinely test their business continuity and disaster recovery plans, analyze outages, train workforce members on these procedures and maintain documentation of these activities. Covered entities can be held accountable for the lack of planning on the service provider’s part if the lack of planning results in a breach. Under the Omnibus Final Rule, a business associate is defi ned in terms of the functions or activities that it performs on behalf of a covered entity in relation to ePHI. An entity is not exempt from the defi nition of business associate and is not relieved of the accompanying compliance obligations
simply because ePHI is encrypted. All of this comes down to one simple notion: accountability. Or, as the Omnibus Final Rule puts it, prevention of security lapses due to outsourced IT arrangements. No matter where the ePHI fl ows, the full scope of HIPAA security must be considered. Attempts at derogation of responsibility in that fl ow miss the point entirely, and covered entities remain accountable. Service providers
with covered entities need to realize that they are responsible for ePHI – no matter the form – and that they too may be held accountable at the discretion of the Department of Health and Human Services. For a service provider, it’s a huge gamble since instances of noncompliance could be deemed willful negligence, subjecting covered entities and its business associates to signifi cant monetary penalties. Under the new tiered-penalty structure, penalties for repeated willful neglect can be as high as $1.5 million per violation. Covered entities should review their business associate relationships im- mediately as the compliance clock is ticking down to Sept. 23, 2013. T ey will need to ask the diffi cult questions about how their service provider man- ages operations with respect to the full scope of HIPAA security, and establish expectations around the assurances given for compliance. As you can see, the Omnibus Final
Rule, while meant to clarify account- ability, raises additional questions for the health IT community. We are hope- ful that this article provides you with a better understanding of the role of covered entities and business associates under HIPAA. Verizon offers managed hosting and cloud services designed to meet appropriate HIPAA controls for storing and protecting ePHI. This includes signing a Business Associate Agreement with covered entities storing their ePHI with Verizon.
HMT HEALTH MANAGEMENT TECHNOLOGY
◀ Laptop Cart LPC200
Tablet Cart ▶ TBC150-201
Solution creators for working environments™
Use code on the right to inquire about our latest promotion
July 2013 39
Promo code HMT-JYLY13