Vendors – Welcome to the World of HIPAA
By Frank Poggio
For the last decade or so, vendors were on the fringes of the HIPAA regulations. Just sign a somewhat innocuous BA agreement and let the provider worry about the details of compliance.
As of January of this year, the Office for Civil Rights (OCR) formally “invited” vendors into the HIPAA labyrinth of rules and regulations. In the new 500-page HIPAA Omnibus Final Rule, Covered Entities (providers) are required to send out new Business Associate agreements to their suppliers and vendors. You should get yours soon, and as an IT supplier, you will see several new requirements.
The biggest one is that system vendors that touch Protected Health Information (PHI) in any way must agree to commit to achieving full compliance with HIPAA rules by September 23, 2013. Touching means coming in contact with — whether you create, capture, edit, change, store, pass on, reformat, convert, etc. a single piece of PHI even for even one patient. The HIPAA rules do not differentiate between full EHR systems, EHR modules, application type, middleware, report tools, conversion, or archive tools, etc. Basically, if your system touches it, you own it.
As an extreme example, say your software does only parking lot management for a hospital. If you somehow capture any personal ID data, your firm will have to meet HIPAA compliance.
A more realistic example is the typical analytics tool that takes detailed information, aggregates it, and generates only summary, management, or trend reports. Your analytical system (such as grabbing a UB bill file and calculating averages) may never report out or allow access to any specific patient PHI, but since you received the data on a case-by-case basis even though you may have stripped out the PHI before you stored the records, your firm and software must meet HIPAA compliance.
The Final Rule is clear that if you touch PHI, even if you don’t look at it, you must comply. There are no exemptions for encrypted data, servers in locked cabinets, or remote cloud systems.
As a vendor, what must you do to be HIPAA compliant? Your firm must supply documentation of:
- Policies addressing HIPAA privacy and security issues
- Privacy and security procedures
- Workforce HIPAA training
- HIPAA-compliant workflows
- Compliance for an audit or data breach investigation
- HIPAA compliance of any subcontractors you use
Your clients may require an independent audit of the above at your expense as a requirement for you to continue as their vendor. If you do not provide it, their legal counsel may advise them to replace your system with that of a competitor. Remember, the above must be in place before September 23, 2013. Lastly, if you or your provider client has a data breach and OCR finds you lacking in compliance, you could be fined $1.5million per breach.
As I noted in a past HIStalk Readers Write piece, ONC in Stage 2 “exempted” EHR Module vendors from testing on the privacy and security criteria (if the vendor so chose), but they did state that the vendor must still be HIPAA compliant. Which means, implement the ONC privacy and security criteria.
Welcome to the wonderful world of HIPAA.
Frank Poggio is president of The Kelzon Group.