The HITECH Act was a long-time coming, especially because it holds business associates of covered entities accountable for compliance with the HIPAA Security Rule and the use of disclosure provisions of the privacy rule.
It’s crucial for two particular reasons, according to Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST):
- Security is only as strong as the weakest link, meaning while a covered entity may be secure, their business associate may not, effectively cancelling out the controls in place and reintroducing the risk of a breach of personal health information (PHI).
- The compliance requirements will force both covered entities and business associates to evaluate the scope of connectivity and information shared (i.e., can these services be provided without sharing PHI). Both of these items will tighten the scope and security around PHI, reducing the risk of disclosure and breaches of patient privacy.
HealthLeaders Media recently caught up with Nutkis for a Q&A about HIPAA privacy and security. The following are some more highlights. The full Q&A can be found on the HCPro, Inc. HIPAA Update blog.
HealthLeaders Media: Business associates must now comply with HIPAA Security Rule and provisions about disclosures in the privacy rule per the HITECH Act. How do you see the industry—covered entities and business associates—handling this?
Nutkis: Internally, both covered entities and business associates should be defining or updating their programs for business partner compliance management. At a high level, HITRUST recommends organizations take the following steps:
- Perform gap analysis of the current compliance process. The analysis should included internal policies, procedures, and contracts against a common checklist of requirements that include HIPAA, HITECH, and other applicable regulations.
- Develop or revise a business partner compliance program. The gap analysis will provide management with a clear understanding of what is needed for the purposes of allocating dollars, resources, and time, and how to prioritize these activities.
- Coordinate compliance with business partners. Once a program is in place or has been appropriately revised, it is time to start coordinating compliance with your partners, including customers, service providers, and peers. The value of compliance is limited if costs are high and timeframes are long; coordinating with others on a common approach and set of requirements will help contain these issues and reduce exposure.
- Implement and maintain compliance. Revise contracts with business partners as they expire, include addendums, and ensure new contracts are up-to-par with the new program. Ensure compliance is maintained through notification of any violations. Organizations can minimize issues by maintaining a list of security contacts with each partner.
A significant issue is not just the business associate compliance, but the interpretation of the requirements by their healthcare customers. This is leading to business associates being asked to comply with hundreds of proprietary security questionnaires and requirements adding cost and complexity to the healthcare system.
HealthLeaders Media: Are business associates ready for this change?
Nutkis: HITRUST held a Business Partner Summit to begin to explore these issues and identify ways that industry can collaborate to clarify and streamline the process. A key take-away from the summit is that organizations are spending increasingly more on business partner compliance, while overall confidence in the effectiveness of these compliance efforts is actually decreasing. This is due to both the variety of requirements and wide range of business partners with different scopes, information security programs, and risk profiles.
Using our Common Security Framework (CSF) as the overarching framework of requirements and our certification, HITRUST is actively working to help organizations address this issue by defining a single, simplified business partner compliance process.
This includes setup, assessment, remediation, reporting, monitoring, alerting, and continued improvement. Our participants believe the HITRUST model will both reduce the risk exposure and contain costs for all stakeholders.
HealthLeaders Media: Did this change your client base already?
Nutkis: HITRUST has seen a significant increase in the number of organizations adopting the CSF to comply with business partner requirements, in both instances where their customer requires it or to promote in lieu of proprietary requests.