Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Awards
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
    • Women in Healthcare
    • - Luminaries
    • - Top 25 Diversity Leaders
    • - Leaders to Watch
    • - Luminaries
    • - Top 25 Women Leaders
    • - Women to Watch
  • Events
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Custom Media Event: ESG Summit
    • Transformation Summit
    • Women Leaders in Healthcare Conference
    • Social Determinants of Health Symposium
    • Leadership Symposium
    • Health Care Hall of Fame Gala
    • Top 25 Women Leaders Gala
    • Best Places to Work Awards Gala
    • Top 25 Diversity Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain Revenue Cycle
    • - Hospital at Home
    • - Workplace of the Future
    • - Strategic Marketing
    • - Virtual Health
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Government
March 23, 2016 01:00 AM

Wider HIPAA audits may drive stronger vendor contracts

Joseph Conn
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    IBM

    The volume of patient data handled by vendors of healthcare organizations has exploded with the near ubiquity of electronic health records systems and the growing role of analytics and mobile devices in healthcare.

    The feds appear to be preparing to clamp down on the sometimes porous flow of patient data handled by contractors, whose security failures have been linked to the exposure of nearly 33 million individuals' medical records since 2009.

    These contractors, termed “business associates” under HIPAA, will be included as primary audit targets in the second round of HIPAA audits by HHS' Office for Civil Rights.

    “There are so many people who are doing innovations and startups and want to get into healthcare and are unaware of the rules and regulations,” said David Muntz, former principal deputy director of the Office of the National Coordinator on Health Information Technology at HHS. Muntz now heads a Dallas consulting firm. “What I'm hoping it will do is keep people out who are insincere about becoming HIPAA-compliant.”

    Some larger healthcare organizations have employed hundreds and in some cases as many as a thousand business associates, according to Adam Greene, a partner in the Washington, D.C., office of Davis Wright Tremaine.

    In one sense, by including the business associates, the civil rights office is simply catching up with privacy and security rules it issued three years ago. But the OCR announcement also means that enforcement of these more stringent rules could give healthcare organizations more leverage to get stronger agreements with their contractors.

    “It will force greater visibility into what's going on--and greater accountability,” said Michael Overly, a partner at Foley & Lardner, who specializes in cybersecurity law. “In many instances, covered entities don't have the right to go in and audit what a business associate is doing,” particularly some of the biggest cloud vendors, which severely restrict access to their data centers, Overly said.

    But now that BAs are legally liable to the feds for compliance with HIPAA privacy and security rules, “covered entities will insist on having some kind of audit rights” when they sign HIPAA-mandated agreements with these vendors, Overly said.

    Upgrades to the HIPAA privacy and security rules in the health IT provisions of the American Recovery and Reinvestment Act of 2009 puts BAs on an equal legal footing with HIPAA covered entities – hospitals, physician practices, health plans and claims clearinghouses. That means vendors that violate the rules are subject to civil monetary penalties of up to $1.5 million a year.

    “A significant part of the (first-round) audit process,” completed in late 2013, included OCR hiring a contractor “to come up with the number of covered entities out there,” Green said. “I've heard the figure of 3 million.”

    One goal of the new round of audits, Greene said, will be to assemble a sort of directory of business associates.

    The first phase will involve OCR staff and special hires conducting “desk audits,” not requiring agents to go into the field. Covered entities will be asked to provide basic information about their business associates. “It won't be a complete list,” Green said, but it will provide a starting point for identifying business associates to audit.

    Just as business associates now share equal legal liability under HIPAA, they've long shared culpability for data breaches, according to federal records.

    Of the 1,472 major healthcare data breaches on the OCR's “wall of shame” website, 309 (21%) involved a business associate. Those breaches exposed 32.8 million individuals' records. The wall displays breach information going back to September 2009.

    Last week, the civil rights office announced reaching a $1,550,000 settlement agreement with Memorial Health Care, Robinsdale, Minn., over possible HIPAA violations, which included not having a business associate's agreement with Accretive Health, a Chicago-based revenue cycle management firm.

    Last summer, Systema Systems, a Larkspur, Calif.-based provider of claims management software, moved a copy of a database to Amazon Web Services, a major cloud data storage provider, but without controls needed to block unauthorized users.

    A Texas computer hobbyist downloaded them. Government agencies in Kansas, Utah and California learned about the breach when the hobbyist called and told them that copies of their workers' compensation and liability insurance records on about 1.5 million people were on his computer hard drive.

    Overly said the Systema breach could be a poster child for what could go wrong with covered entity/business associate relationships. “That's exactly the thorny problem that's presented to many healthcare providers,” Overly said. “I know who I'm talking to, but I don't know who they're contracting with.”

    If a vendor decides to subcontract its work, “you need to make sure that the subcontracting party is bound by the (business associate) agreement,” Overly said.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Dr. Anthony Fauci
    Fauci: 'Pandemic phase' over for US, but COVID-19 still here
    greenhouse emission
    5 takeaways from HHS' environmental justice strategy
    Sponsored Content
    Modern Healthcare Alert: Sign up for this breaking news email to be kept in the loop as urgent healthcare business news unfolds.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Nominate/Eligibility
      • 100 Most Influential People
      • 50 Most Influential Clinical Executives
      • Best Places to Work in Healthcare
      • Excellence in Governance
      • Health Care Hall of Fame
      • Healthcare Marketing Impact Awards
      • Top 25 Emerging Leaders
      • Top 25 Innovators
      • Diversity in Healthcare
        • - Luminaries
        • - Top 25 Diversity Leaders
        • - Leaders to Watch
      • Women in Healthcare
        • - Luminaries
        • - Top 25 Women Leaders
        • - Women to Watch
    • Events
      • Conferences
        • Transformation Summit
        • Women Leaders in Healthcare Conference
        • Social Determinants of Health Symposium
        • Leadership Symposium
      • Galas
        • Health Care Hall of Fame Gala
        • Top 25 Women Leaders Gala
        • Best Places to Work Awards Gala
        • Top 25 Diversity Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain Revenue Cycle
        • - Hospital at Home
        • - Workplace of the Future
        • - Strategic Marketing
        • - Virtual Health
      • Webinars
      • Custom Media Event: ESG Summit
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing