Healthcare organizations signing new deals with vendors, including many cloud services providers, must make sure that their business associate agreements reflect the requirements of the new HIPAA Omnibus Rule, which went into effect on March 26.
The rule broadens the definition of business associates to include any vendor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity.
And under the rule, business associates and their subcontractors are now directly responsible for compliance with the HIPAA Security Rule and many components of the HIPAA Privacy Rule. So contracts between covered entities and business associates need to reflect that change.
A business associate, starting March 26, will have the same responsibilities as a covered entity under HIPAA.
A common complaint from healthcare organizations has been that many vendors (including some large cloud services providers) have declined to sign business associate agreements.
But remember, if they're audited for HIPAA compliance or investigated for a breach and they don't have a business associate agreement in place, they could risk paying extra monetary penalties for HIPAA non-compliance.
Under HIPAA, covered entities have always needed to have business associate agreements in place with their vendors that describe safeguards for patient information. What has changed under the HIPAA Omnibus Rule is that when these contractual arrangements are entered into, they now need to pay particular attention to the spelling out for the business associate of what exactly are the uses and disclosures of this protected health information that they will have.
As a provider of cloud services, Microsoft has always considered itself a business associate, says Dennis Schmuland, chief strategy officer of Microsoft's U.S. health and life sciences division. So the company has long provided its cloud computing customers in the healthcare sector with a business associate agreement that the company developed in collaboration with healthcare providers, payers, and medical schools. The agreement, however, is a standard contract Microsoft offers to all its healthcare customers regardless of the cloud services they use.
Healthcare organizations should demand that their business associates, no matter what their size, be very clear about how they'll safeguard patient information. And they should demand specifics on how these vendors will limit their use of sensitive patient information to what's "minimally necessary" to perform a specific function, as required under HIPAA.
If your organization is doing work with vendors, including cloud computing specialists, that have been reluctant to sign business associate agreements in the past, make sure they're aware of the HIPAA Omnibus Rule. If they continue to drag their heels, then it's time to shop around for other vendors more forthcoming about privacy and security issues.