Privacy rules
How to comply with new HIPAA
regulations for business associates
interviewed By Roger Vozar
C
ompanies are being challenged to
protect vast amounts of proprietary
and confidential information. And
now, many are being held to an even higher
standard when it comes to protected health
information (PHI).
“The Health Insurance Portability and
Accountability Act (HIPAA) has existed
since 1996. It’s well established that
covered entities — health care providers,
benefit plans and clearinghouses — have
a responsibility to ensure the privacy and
security of PHI. Recently, the rules have
been tightened to also cover business
associates — organizations with which a
covered entity shares PHI. These changes
mean that business associates now have to
fully comply and be accountable under the
HIPAA security rule,” says T
ony Munns,
FBCS, CITP, CIRM, CISA member, Risk
Advisory Services, at Brown Smith Wallace.
Smart Business spoke with Munns about
the final omnibus rule and what actions
businesses should take.
What prompted the new rule?
A significant number of data breaches were
from business associates who were not
as diligent as they should have been, and
covered entities were not selecting business
associates with the appropriate rigor. A
notable example involved an insurance
company that had a business associate
who was responsible for off-site storage of
sensitive data. The business associate was
using a garage, which was left unlocked and
wasn’t climate-controlled. That contracting
choice has led to separate investigations by
both California and federal regulators.
What action should companies be taking?
The Department of Health and Human
Services said that it’s not sufficient to just
Reprinted from Smart Business St. Louis
Tony Munns
FBCS, CITP, CIRM, CISA
Member, Risk Advisory Services
Brown Smith Wallace
(314) 983-1297
[email protected]
Website: We can help you with HIPAA compliance. Visit
http://bswllc.com/HIPAA to learn more.
Insights Accounting is brought to you by Brown Smith Wallace
have an agreement, there needs to be
satisfactory assurance that the business
associate can and does follow proper
procedure. Entities covered by HIPAA have
until Sept. 23, 2013, to update their business
associate agreements. Current agreements
do not have to be changed until they’re up
for renewal, but in any case all agreements
have to be updated by Sept. 22, 2014.
What steps should companies take to
comply with the legislation?
■ Understand the new requirements and
the impact on the business.
■ Update business associate agreements.
■ Apply the satisfactory assurance mandate.
Review existing agreements and perform
due diligence to get comfortable with the
practices of your business associates. This
might involve requesting that audits be
performed, such as Statement on Standards
for Attestation Engagements No. 16 reports.
In the insurance company example, no one
examined whether the person contracted
to provide off-site storage was capable of
providing it to the level expected.
What are other requirements of the final
omnibus rule?
The new rule requires that individuals be
informed that their information has been
breached. Managing breaches is no longer
sufficient. Meanwhile, business associates
are not required to provide a notice of
privacy practices or designate a privacy
official; they only need to comply with the
general privacy requirements and all security
measures, much like covered entities.
The definition of a breach was also
changed from ‘a significant risk of financial,
reputational or other harm to an individual’
to ‘an acquisition, use or disclosure of
PHI in a manner not permitted.’ Under
the old rule, companies that didn’t believe
information was compromised didn’t need
to classify it as a breach. Now they have to
report the breach, but can apply mitigation
to demonstrate there was a low probability
of harm.
What are the penalties?
There are four categories:
■ Ordinary breaches, such as an error or
lost equipment — $100 to $50,000 per
violation.
■ If reasonable due diligence would have
revealed the violation — $1,000 to
$50,000 per violation.
■ Conscious, intentional failure or reckless
indifference, but the breach was corrected
— $10,000 to $50,000 per violation.
■ Conscious, intentional failure or reckless
indifference and the breach was not
corrected — $50,000 per violation.
For all violations, the cap is $1.5 million.
And th