Healthcare organizations, BAs slow to become HIPAA compliant

With the first year of enforcement of the final HIPAA Omnibus rule coming to a close, there has been little impact due to a lack of interest to become compliant, security consultant Andrew Hicks tells Rather, the disconnect for HIPAA compliance has come from organizations that are being pulled into the compliance reluctantly, Hicks says, in particular business associates.

"They don't understand why they are on the hook for," he says. "They may not even be tied at all to the healthcare industry, they just have that data in their environments."

Many entities, he says, are fighting to have the BA classification removed.

The deadline for the revision of business associate agreements is today. Under the HIPAA Omnibus rule, business associates and subcontractors that work with covered entities now are accountable for privacy and security of personal health information.

Those business associates are one of the biggest security threats to the industry, Mary A. Chaput, chief compliance officer at Clearwater Compliance, writes at Becker's Health IT & CIO Review. One example is the LabMD case, where the organization had to close its doors after a breach because of inadequate security in a BA's file-sharing service, she writes.

Some ways Chaput says healthcare entities can ensure diligence from BAs include conducting a inventory, risk-rating and reviewing BA regulations and agreements.

When it comes to complying with HIPAA, one area entities are finding confusing is the HIPAA Security Rule, Hicks says. The rule is very subjective and risk-based, so organizations that are new to it "kind of throw their hands up in the air and don't know where to start," he adds.

Many also don't have the time or resources to get them through a full HIPAA security gap or risk-assessment, he says.

With the Office for Civil Rights hinting that it will ramp up enforcement of HIPAA, Hicks says that one important thing covered entities and BAs can do to help with compliance is adopt a solid IT security framework, which then ties back to HIPAA and satisfies 90 percent of it.

Heading down the road, Hicks says the increased scrutiny from OCR and increased attention given to security breaches will cause a shift, and organizations will continue to want to develop their HIPAA compliance plans.

To learn more:
- listen to Hick's interview
- read Chaput's commentary