There has been a lot of attention lately about the HIPAA Omnibus Final Rule and how business associates that create, receive, maintain or store protected health information (PHI) on behalf of a covered entity are now directly subject to the HIPAA Security Rule and parts of the HIPAA Privacy Rule. The Omnibus Final Rule clarifies some grey areas, the most meaningful of which, we feel, is the inclusion of “stored PHI” as this directly affects hosting and cloud providers of covered entities.
The reason Verizon has been so vocal on this front is because it’s important that healthcare entities revisit their business associate agreements (“BAA”) - and make any necessary changes before September 23, 2013 - to confirm that their PHI remains protected and safeguarded per the new business associate requirements.
In fact, HIPAA Security Rule (45 CFR 165.308) and CMS Meaningful Use Incentives require that covered entities (Healthcare organizations) perform a security risk analysis and correct identified deficiencies. If not, they will face a new tiered penalty system that can carry penalties as high as $1.5 million per violation for repeated willful neglect.
As a covered entity, selecting the right business associate is more important than ever. If a covered entity stores PHI with a service provider (such as a hosting or cloud provider) who cannot sign a BAA, then that covered entity should look elsewhere for one who can. Business associates who don’t comply with the HIPAA Security Rules put the covered entity at risk.
Ultimately, it is the covered entity who is responsible for end-to-end HIPAA compliance.
Healthcare organizations need to understand that if a breach or a compromise of data containing PHI were to occur, and it involved their business associate (anyone involved in creating, receiving, maintaining or storing PHI on behalf of a covered entity - such as a hosting or cloud provider), they would be liable and can face stiff fines.
Many cloud providers have taken a “wait and see” approach by postponing the assessment and remediation of their infrastructure and not signing a BAA with covered entities. Implementing a comprehensive and compliant security program to protect PHI is neither simple nor inexpensive.
“Verizon’s healthcare enabled services are housed in two large data centers that were specifically designed to meet the applicable physical administrative and technical security controls under HIPAA. We enable our healthcare clients to focus on their core business, while we handle their cloud infrastructure operations,” said Scott Peterson, vice president, healthcare, Verizon.
See how Verizon Healthcare Enabled Services are different. As your Business Associate, we will help you meet your HIPAA security requirements while delivering world-class cloud infrastructure operations.