Home » Readers Write » Currently Reading:

Readers Write: Vendors – Welcome to the World of HIPAA

March 20, 2013 Readers Write 4 Comments

Vendors – Welcome to the World of HIPAA
By Frank Poggio

For the last decade or so, vendors were on the fringes of the HIPAA regulations. Just sign a somewhat innocuous BA agreement and let the provider worry about the details of compliance.

As of January of this year, the Office for Civil Rights (OCR) formally “invited” vendors into the HIPAA labyrinth of rules and regulations. In the new 500-page HIPAA Omnibus Final Rule, Covered Entities (providers) are required to send out new Business Associate agreements to their suppliers and vendors. You should get yours soon, and as an IT supplier, you will see several new requirements.

The biggest one is that system vendors that touch Protected Health Information (PHI) in any way must agree to commit to achieving full compliance with HIPAA rules by September 23, 2013. Touching means  coming in contact with — whether you create, capture, edit, change, store, pass on, reformat, convert, etc. a single piece of PHI even for even one patient. The HIPAA rules do not differentiate between full EHR systems, EHR modules, application type, middleware, report tools, conversion, or archive tools, etc. Basically, if your system touches it, you own it.

As an extreme example, say your software does only parking lot management for a hospital. If you somehow capture any personal ID data, your firm will have to meet HIPAA compliance.

A more realistic example is the typical analytics tool that takes detailed information, aggregates it, and generates only summary, management, or trend reports. Your analytical system (such as grabbing a UB bill file and calculating averages) may never report out or allow access to any specific patient PHI, but since you received the data on a case-by-case basis even though you may have stripped out the PHI before you stored the records, your firm and software must meet HIPAA compliance.

The Final Rule is clear that if you touch PHI, even if you don’t look at it, you must comply. There are no exemptions for encrypted data, servers in locked cabinets, or remote cloud systems.

As a vendor, what must you do to be HIPAA compliant? Your firm must supply documentation of:

  1. Policies addressing HIPAA privacy and security issues
  2. Privacy and security procedures
  3. Workforce HIPAA training
  4. HIPAA-compliant workflows
  5. Compliance for an audit or data breach investigation
  6. HIPAA compliance of any subcontractors you use

Your clients may require an independent audit of the above at your expense as a requirement for you to continue as their vendor. If you do not provide it, their legal counsel may advise them to replace your system with that of a competitor. Remember, the above must be in place before September 23, 2013. Lastly, if you or your provider client has a data breach and OCR finds you lacking in compliance, you could be fined $1.5million per breach.

As I noted in a past HIStalk Readers Write piece, ONC in Stage 2 “exempted” EHR Module vendors from testing on the privacy and security criteria (if the vendor so chose), but they did state that the vendor must still be HIPAA compliant. Which means, implement the ONC privacy and security criteria.

Welcome to the wonderful world of HIPAA.

Frank Poggio is president of The Kelzon Group.

HIStalk Featured Sponsors


Currently there are "4 comments" on this Article:

  1. I think saying that “vendors that touch [PHI] in any way…” is a bit misleading. The vendors involved are only those that are covered under HIPAA, which means that they have to provide services to the CE that require them to access/use/store/etc. PHI. Incidental contact with PHI does not make one a BA, so the parking lot system example may not necessarily be accurate, it would depend on the services they actually rendered to the hospital.

    They did expand what was included in the BA bucket to include patient safety organizations, and also clarify when a PHR vendor becomes a BA, but didn’t broaden it to include everyone. As a good example of how it is doesn’t include everyone, PHR vendors, even if they get PHI directly from a CE and have a unique agreement and interface to do so, do not become BAs of the CE as long as they don’t provide this service for the CE but instead do it on behalf of the patient.

    The statement “the Final Rule is clear that if you touch PHI, even if you don’t look at it, you must comply” is also just wrong. The exact quote from Federal Register is “The final rule adopts the language that expressly designates as business associates: (1) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.” That’s pretty dense legalese warranting several pages of discussion around it, but it defines it pretty tightly both in terms of what is included and what is not. Organizations that simply transmit PHI and do not access (e.g., telecoms) or that have access to it but don’t use it for any healthcare-related purposes (e.g., the parking lot vendor example, in most cases) would not be covered.

    All of that said, the spirit of what Mr. Poggio posts is generally going to be true. CEs generally don’t share PHI with vendors that don’t do anything with it, so the exceptions are not going to be the most common situations.

    What I hope will happen is that we’ll see more vendors that were traditionally considered by hospitals and other CEs to fall under the BA umbrella, mostly because they didn’t know where to draw the line, now saying “no thanks, I’m not a BA” and push back on just signing. In the long run this will help make HIPAA compliance less messy and expensive for everyone.

  2. Frank,
    Great article and very well written. This definitely should be a wake up call to any vendor who does business with health care related organization. It is no longer just the responsibility of the provider to protect PHI. A fine from the OCR could do a lot of damage not only to the vendor’s business but to their reputation. Thanks and keep up the good work.

    Thomas Johnson

  3. RE: Anonymous
    My parking lot example assumes the parking lot is owned and operated by the provider organization. If it is not then I agree it would not come under HIPAA.

    Unfortunately ‘push back’ may mean losing a client. Not too many firms today can afford to do that. I am afraid your also right about it getting more expensive. Can’t think of an example where regulation ever reduced costs. Can you??

    Thomas- thanks for the comment.

  4. By the strictest definition of BA, MS Word would need to comply and have individual contracts with CE’s as well. Clearly, the Word document touches PHI at every HC workstation nationwide. But, as in the case of a report developer software, the folks in Seattle will not “see” PHI even though their software “touches” PHI.

    It is an important distinction. It is certainly not in the business interest of the software vendor to “see” PHI in a software upgrade, a process that should be largely automated and run by the customer. If there are any problems in the upgrade, any discussion of patient data would be categorical on the basis of fields, pages, queries, etc. and would not require a patient ID per se.

Text Ads

Recent Comments

  1. You note that, "What they need is the same level of sick leave time that many other workers in the…

  2. Re: AR outsourcing at Epic - Getting billing under control after an implementation was always one of the pain points,…

  3. Wow, your Zoom/Teams/Skype skills must be better than mine! "She noted that she thinks relationships are deeper because there has…

  4. The Ars article is all opinion and fluff, yet curiously you do not indict any of the specific content of…


Founding Sponsors


Platinum Sponsors





















































Gold Sponsors










Sponsor Quick Links