Note: this article was originally published in Maryland Physician Magazine in its May/June 2013 issue.
The HiTech Act in 2009 set in motion a series of changes to the HIPAA rules that govern the use, disclosure and protection of protected health information (“PHI”). The Department of Health and Human Services (“HHS”) subsequently issued interim regulations in response to these changes in the law, and this year issued a final regulation as of March 26, 2013 that requires compliance by covered entities and business associates within 180 days. These final HIPAA security regulations make a number of important changes which may impact your relationship with vendors that provide you with electronic health record (“EHR”) licensing and support.
First, prior to HiTech, business associates of covered entities were not required to comply with the security rules and standards set forth in the HIPAA security regulations. HiTech changed the applicability of the security regulations to include business associates. The final regulation from HHS implements this provision of the HiTech Act, but with a twist: subcontractors to business associates are also defined as business associates within the final regulation. What this means is that EHR vendors and their subcontractors must fully comply with the HIPAA security rules, not just with “reasonable” security measures.
Second, prior to HiTech, there was no federal requirement that a covered entity or business associate report a security breach that resulted in the disclosure of protected health information (“PHI”). HHS subsequently issued interim regulations to implement these notification requirements, and as of March 26, 2013, HHS issued final regulations that alter the assumptions and exceptions to what constitutes a “breach” under HIPAA. In addition, business associates and subcontractors are obligated to report security breaches to covered entities.
For providers that are at the beginning of their search for an EHR vendor, have an attorney review any proposed contract between your organization and the vendor to ensure that the business associate provisions comply with the final regulations. If you already have an existing relationship, work with your attorney to ensure that the contract in place complies with the final regulatory requirements. All business associate agreements must come into compliance with the final regulations by September, 2014.
In recent years, some EHR vendors have moved to “cloud”-based data storage and access solutions for their clients. These cloud systems are designed so that provider data collected by the EHR is stored at a remote data center, and made available over an internet connection with the provider. Some EHR vendors subcontract with a third party to provide the cloud data storage. More likely than not, that subcontractor is now a business associate under the final regulations and takes on the same obligations as the EHR vendor with regards to your data. The final regulations require that a covered entity’s contract with their business associate require subcontractor compliance with the final security regulations.
Beyond compliance issues, providers will want to evaluate whether an EHR vendor that hosts your data in the “cloud” has really made sufficient provisions for security. Such an evaluation makes good business sense because of the incredibly negative consequences of any security breach that results in a loss of PHI for a health care provider. For example, does the vendor comply with a recognized, national security standard (like NIST)? Is the EHR vendor, or the data center it uses for storing your data, audited against a SAS standard like SAS-70? What are the security practices and security devices in place at the EHR vendor to protect your data? If the vendor will host your data, what are its disaster recovery and data backup procedures? Are those procedures regularly tested?
Providers and their counsel should also evaluate what, if any, additional provisions should be negotiated into any final agreement with the EHR vendor concerning the vendor’s compliance with a security standard, commitment to security procedures, and related obligations (such as maintaining appropriate border security and/or appropriate encryption for data during its transmission).
The changes in HIPAA compliance mean that providers cannot simply treat EHR vendors as a “black box” into which providers place PHI, and rely on the EHR vendor’s representations that they know best regarding security. In addition, because the scope of HIPAA now covers more than just covered entities and business associates, but also most subcontractors of business associates that handle PHI, more entities are at risk for substantial fines for failing to comply with the applicable security standards. All providers should work with their counsel to analyze and address compliance with the final regulations.