Two weeks ago, the Department of Health and Human Services (HHS) issued final regulatory rules that place a new group of data processors and third-party consultants directly under HIPAA’s data security compliance regulations.
In 2010, HHS issued a “notice of proposed rulemaking”, seeking comments from stakeholders as it worked out updated regulations for HIPAA that had been mandated by Congress. One of the areas that regulators wanted to resolve was precisely who is subject to HIPAA’s central Security Rule, which defines steps organizations must take to maintain reasonable technical safeguards for electronic protected health information (e-PHIs for short).
The regulators first proposed that “business associates” handling e-PHI for, say, hospitals or HMOs, would fall directly under HIPAA laws. While not considered a medical provider, they could be still held liable—with civil and criminal penalties—for compliance failures.
Without this type of extension, health organizations could conceivably outsource their data protection obligations to others, and then depending what was in the private contract with the business associate, it would be feasible that no one at all could be held responsible for a breach or other security lapse.
What Has Changed
With the finalized rules (which by the way run over 500 pages) not only do business associates come under HIPAA, but a new class of consultants and subcontractors who perform work on behalf of the business associates also have HIPAA obligations.
In effect, the final rules say that any company that has access to e-PHI is treated just like a hospital or HMO. By the way, HIPAA/HITECH’s Breach Notification Rule, which originally required health companies and their business associates to report e-PHI disclosures, is now extended to medical data subcontractors as well.
The ultimate intent is to close off any holes in security and enforcement when the business associates themselves outsource data processing to others.