Even though the comprehensive laws intended to protect patient and health care data are far from new, changes to HIPAA in 2010 increased the number of companies that must comply with the standard. This means there are more potential customers than ever before who may need HIPAA compliance services. However, it also means security solution providers may need to comply with HIPAA, too.
This change has dramatically increased the field of security consulting opportunity by more than a million BA firms that now MUST be compliant.
Changes to HIPAA
HIPAA has been around since the mid-90s and back then many medical practitioners either didn’t care, or didn’t realize the importance of compliance. In my experience, they would even say things like, “No one has ever been busted for not complying. Let me know when someone gets fined.” Well, with new more stringent regulations and mandatory and more severe enforcement contained in the Health Information Technology for Economic & Clinical Health (HITECH) Act, the options and time for inaction have passed.
The most significant change for security solution providers (including VARs, service providers, consultants, etc.) is the law now extends from the covered entity (CE) to the business associate (BA) who supports them.
The law defines a BA as any individual or corporate entity that:
- Performs on behalf of the CE any function or activity involving the use or disclosure of protected health information (PHI) and;
- Is not a member of the covered entity's workforce.
Covered “functions or activities” can include, but are not limited to, billing & accounting, consulting, data processing, data and systems management, administrative services, transcription services, financial services and/or any other services that could involve the use and disclosure of protected health information (PHI). This does not include those that may be incidentally exposed (if at all) to PHI. For example, a custodian working in the CE’s building would be excluded.
Implications of HITECH
HITECH specifically states the business associates of a HIPAA covered entity must abide by HIPAA. In 2010, the U.S. Department of Health and Human Services (HHS) proposed rule changes that extend compliance requirements to all subcontractors and associates of business associates. Therefore, if you are working with CEs, this likely means you, the security solution provider, are a BA and must also comply with HIPAA.
HITECH significantly increased the penalties for non-compliance. For example, penalties ranging from $50,000 to $1.5 million per category per year can be applied to cases of Willful Neglect. In addition, HITECH provides funding for enforcement, offers attorney’s fees for certain lawsuit activity, guarantees the Office of Civil Rights (OCR) keeps cash for collecting penalties, and provides a system of potential compensation to victims of breach. It also offers protection for whistleblowers who report a myriad of follies committed by CEs that receive American Recovery & Reinvestment Act (ARRA) funds.
Opportunities for solution providers
These changes to HIPAA and HITECH have dramatically increased the field of security consulting opportunity by more than a million BA firms that now MUST be compliant, not to mention all of the CEs who have been pretending to be compliant. The truth is, as of this writing, the vast majority of the hundreds of BA firms I have encountered don’t know they must be compliant. Even fewer know what being compliant entails.
So, as a security solution provider, how can you benefit from HIPAA and HITECH? First, keep in mind this is an area fraught with potential pitfalls of liability and risk. You must get educated: Know the regulations as though your business depends on compliance for survival. If you are not serious about compliance, do not try to pretend your way through being a BA of covered entities. Willful neglect comes with mandatory penalties that now start at $50,000 and cap at $1.5 million per category per year. In addition, the United States’ Attorneys General now has the right to take action on behalf of individuals.
The good news is, with the immense risk comes great reward for those who act wisely and professionally. Because the opportunity is not only restricted to those classified as CEs, but also with other firms who support the CEs as BAs, there are many enterprises in need of HIPAA consulting services. Prior to HITECH, many CEs had made a calculated decision to not invest in being compliant. As a result, today there is the potential for massive security consulting gigs in getting these CE and BA firms caught up.
The vast majority of the hundreds of BA firms I have been encountered don’t know they must be compliant.
In fact, the closer we get to ubiquitous deployment of electronic health records (EHRs), the more revenue opportunities there will be for HIPAA consultants. In nearly every recent situation I have seen, the vendor deploying an EHR system did little or nothing to work with the covered entity to be sure the CE would be compliant beyond just the EHR software. In some cases (but certainly not all) the VARs that sold the EHR products recommended a compliant HER tool, but deployed it in ways or into an environment that made it non-compliant. In some of these instances, it was the CE who refused to pay what was required, and in some instances it was the VAR who simply did not understand HIPAA or basic security measures. In still others, as told to me by several VARs, it was their desire to make the sale quickly and not add cost and complexity that resulted in the lack of security and compliance.
Even now, more than two years after HITECH passed, I have found there is a fundamental disconnect and confusion in many CEs and BAs about compliance. The IT department believes the compliance staff members have it under control, and the compliance staff believes IT is on top of things. Truthfully, in many organizations, both groups are often failing. This is not for lack of commitment, but often lack of information, available time and support from their management.
The better-run health care IT organizations generally handle security in a fairly reasonable manner. However, they are often not properly trained on HIPAA (if at all), and are therefore not adhering to the prescribed behaviors contained in the regulations, meaning they cannot be compliant.
In many organizations I have dealt with, the clinical and legal compliance departments are dealing with the clinical and administrative provisions of HIPAA and other regulations, but fail to verify the security and privacy rules are enforced within IT. The significant delta in technical understanding allows the IT department tell the clinical and legal departments, “Trust us,” when in fact they do not have a viable HIPAA program and may not even have a basic understanding of HIPAA. Many of the policies and procedures they create are either far over-reaching or little more than paint-by-number documents copied from another firm that have little relevance to their own business practices.
All of these situations, combined with the large number of CE and BA firms that now must be HIPAA compliant, add up to a huge pool of opportunity for solution providers who thoroughly understand HIPAA regulations and are willing to accept the risks for the rewards. In an upcoming tip, we’ll discuss those risks and rewards in greater detail, and describe specific projects that security solution providers can offer to their customers.
About the author:
Kevin B. McDonald is Executive Vice President and Director of Compliance Practices at Alvaka Networks, a 27-year strong Network Services and Security leader in Irvine, California. He is a trusted technology and security consultant and public policy advisor to some of America's most influential people and organizations. He serves as a senior advisor to businesses, state and federal legislators, law enforcement leaders, charitable boards, abuse prevention professionals and municipalities. He is a sought after presenter, panelist and commentator. McDonald consults on the issues surrounding advanced technology, physical and logical security, regulatory compliance, organizational development and more.
McDonald is a HIPAA Privacy and Security Expert and a member of the CompTIA HIT, Advisory Council. He is Chairman of the Orange County Sheriff/Coroner's Community Technology Advisory Council (C.T.A.C) and member of the High Tech Crimes Consortium. He has written for, or been interviewed, in dozens of national and regional publications and he has authored the novel, Practically Invisible.
This was first published in September 2011