Earlier this week, I wrote about how the Omnibus rule impacts cloud service usage. Healthcare IT departments must also consider how the law impacts them, even if the organization has not yet delved into the cloud.
The new HIPAA Omnibus rule primarily impacts the HIPAA privacy, security, and breach notification rules. The good news is that there isn’t a lot in the Omnibus rule that is really new. The Omnibus rule formalizes the requirements that were already put into place by the HITECH act and subsequent Health and Human Services (HHS) rules (or proposed rules).
The main things that healthcare organizations will have to watch out for with regard to the Omnibus rule are the relationships that they have with the vendors that they use and the relationships between various departments within the healthcare organization.
Although a healthcare provider might be classified by HIPAA as a covered entity, the organization may designate a "health care component" ("HCC"). This is done by treating the organization in a compartmentalized manner and documenting “components” of the organization that should be treated as a Covered Entity. In doing so, the organization excludes those components from being treated as a covered entity (or as a part of a covered entity).
The advantage to doing so is that it can ease the burden (and cost) of HIPAA compliance. The problem is that if a component that is treated as a covered entity were to disclose protected health information to a component that is not treated as a covered entity, then the disclosure is treated in the same way that it would be if protected health information were disclosed outside of the organization. As such, healthcare providers must exercise great care with regard to the way that protected health information is shared within the organization.
The Omnibus rule also changes the relationship between a covered entity and the IT vendors that they use. This change primarily impacts cloud service providers, but can impact other types of vendors as well. Under the law, certain types of vendors are now treated as business associates rather than merely being treated as vendors. This means that these providers share the responsibility for the security and privacy of electronic protected health information.
The types of vendors that must be treated as business associates are those that routinely store, transmit, access, or use protected health information. Interestingly, the law doesn’t just effect vendors who provide service to the covered entity, but also impacts those who provide services to the covered entity’s business associates. For example, if a covered entity decided to use company A as an E prescribing gateway and Company A outsourced their datacenter to Company B, then Company B would be covered by the law’s requirements, because they are handling electronic protected health information on behalf of a covered entity’s business associate.
Section 160.103 goes to great lengths describing what constitutes a business associate relationship, even going so far as to state that one covered entity can be a business associate of another. Generally speaking, however, a business associate is an organization that in some way stores, accesses, uses, or transmits protected health information. The exact definition can be found here.
Thankfully, the Omnibus rule does make an exception for those organizations that merely transmit protected health information. For example, an Internet Service Provider would not be considered to be a covered entity’s business associate because they merely act as a conduit for passing electronic protected health information between a sender and a recipient. The Internet Service Provider does not store the data or attempt to access or make use of the data. As such, they are not treated as a business associate.
A covered entity is responsible for determining which of its vendors should and should not be treated as business associates and for establishing a business associate agreement with those providers. The Omnibus rule went into effect on March 26, 2013, and covered entities have 180 days from that date to fully comply. Vendors who are treated as business associates must also establish compliance by the same date, but those who are operating under existing agreements can continue to do so until March 26, 2014, so long as the vendor is HIPAA compliant.