An AG, a CE and BA Walk into a Bar….

…the AG asks the CE, “Is that your BA?”  Wait for it…

In the United States there are very few states who have not passed additional privacy legislation since the enactment of HIPAA or even before HIPAA came on the scene.  Most states have a privacy law that governs the use of personally identifiable information (PII), including protected health information (PHI), to ensure the security and privacy of their citizens when their information is used or disclosed by any business operating in the state.

In some cases the state law is more stringent than HIPAA and already requires covered entities and business associates to protect PII or PHI because state privacy laws are usually written from the perspective of any business operating in their boundaries.  Although a covered entity may do business in a state not governed by additional privacy laws,  we must not forget that HITECH opened the door for the State Attorney General (AG).  Dun, dun, dun…

State Attorney General “Persona”

Some state prosecutors are a little more aggressive than their counterparts and they have quickly targeted the risk that both a covered entity or business associate pose to a constituents PII or PHI. Lest ye forget they are elected officials.  What wins the hearts and minds of most individuals?Heroes, champions for the greater good, and anyone else looking out for their personal welfare.  Enter the AG who proclaims, “I will defend your rights to privacy and punish the gross and negligent offenders!”  HAAAA! Roar! And the crowd goes wild!

Campaigns to Date

It has been the common trend for states to prosecute based on the data privacy laws of their state.  This is changing though.  Connecticut was the first state to prosecute under HITECH in 2010. Other states slowly followed suit, to date the most active have been Connecticut and Massachusetts, who go after both violation of state and HIPAA requirements.  A common source of health information security events and news, that many of you may already follow and I have cited here in the past, Healthcare Info Security,  ran an article this month referencing the breach in 2012 involving Hartford Hospital and a business associate, EMC Corp, and how the state of Connecticut responded with fines and remediation activities.  The real take away from that article though, emphasizes what we have been discussing throughout this blog, How are you managing your risk that may stem from a business associate breach?  Are you hoping it will take care of itself because you prefer surprises?  Hmm…remember that concept called “willful neglect”?

Where’s the punch line?

If a covered entity is still relying on the face value of their business associate agreements, it is safe to say the risk from a business associate is continuing to increase, not suddenly diminish.  If the federally mandated requirements of HIPAA are not enough to adjust your strategy, I would suggest you definitely make sure you have a handle on what your state may be up to.  You may be one of the lucky ones where state requirements are stricter.  Stricter or not though, breaches rarely have happy endings for covered entities.

The CE says, “Yes.  Would you like to join us?”  The AG says, “No, thanks.  I SETTLE with you later.”   

How the Latest Final Rule Relates to Business Associates

ONC Health Information Technology Certification Program.  Just let that hang there for awhile.  For those of you that have been following the blog, you may have noticed that there were no posts in October.  I wanted to take the time to fully review the latest final rule release, not get distracted, and not jump on the band wagon with everyone else’s “interpretations.”  I’m glad I did, because it helped provide additional perspective and allow some time for the new updates to stew a little bit in my head.  Rather than get caught up in the nuances of the next saga to HIPAA, I want to focus on the big picture.

When HITECH was first introduced, one key component was creating a set of criteria and standards for electronic health record (EHR) solutions and platforms.  Most small providers are not funded to purchase the majority of the offerings on the market and this was later seen as an inhibitor to being able to meet meaningful use and be eligible for EHR Incentive dollars. In a move to balance this inequality, the certification program managed by ONC is being expanded to include other information technology solutions and platforms that can have the same benefits for PHI exchange.  With Stage 3 around the corner, and reimbursements or fines hanging over provider’s heads, only focusing on EHR tools limits the capabilities of the entire system. When we look at not only small providers, but also HIEs or RHIOs, who do not have the need for a comprehensive EHR, other technology is more suitable yet requires additional overhead to ensure it can meet compliance requirements.  This was on the shoulders of those entities until the modifications of this latest rule, so one might assume.

What does it all mean though?  Let’s grab the “ONC Health Information Technology Certification Program” down from our imaginary hook and take a look at what implications it may or may not have to the success of the overall goal: inter-operable nationwide health information infrastructure.  Even if access to PHI is now more readily available to any provider, on any system, at any given time, there are a couple of elephants still in the room:

1. How is the liability impacted for a Covered Entity or a Business Associate who does select a tool that has been certified by the program?

This will probably be decided with the first breach of a “certified” tool and more than likely a court of law.

2.  HHS avoided getting into the business of certifying technology tools for almost 20 years, is passing the process onto ONC via a Public Welfare law enough to protect the department, a covered entity, or a business associate from patient complaints?

Highly unlikely.  We wouldn’t need attorneys if everything was that simple.

3.  Has anything changed for the Covered Entity?

Not really.  Although ONC will make the first pass to certify that a new technology, solution, or platform meets the certification criteria and objectives, the Covered Entity still as a due diligence requirement to ensure that the tool once inserted into their process will maintain the security and privacy of PHI, will be compatible with any partners, business associates, internal systems, etc., and require the same risk assessment process as previous tool selections and evaluations required.

Big picture: This latest final rule intends to improve the likelihood of an inter-operable nationwide health information infrastructure, decrease the costs of developing health information technology, increase the options available to a Covered Entity, but overall just bog down your Inbox with more emails mismarketing the phrase “HIPAA Certified”.

Do yourself a favor and develop a solid strategy for managing business associate risk.  For those working toward Stage 3 certification and hoping for funding dollars, you still have to attest to meeting the requirements, no one else can do it for you.  It is nice to have the criteria more broadly defined, but it truly changes nothing you should already have a process in place to achieve.