HIPAA Case Study: Tackling BA ChallengesCaroMont Health Official on Complying with HIPAA Omnibus Rule
Note: This piece is one of a series of new articles detailing healthcare organizations' efforts to meet the Sept. 23 HIPAA Omnibus Rule compliance deadline.
CaroMont Health, like most healthcare systems in the U.S., is racing to comply with the HIPAA Omnibus final rule. That work includes hunting down hundreds of business associate relationships so that contracts can be reviewed for HIPAA compliance.
The 435-bed hospital in Gastonia, N.C. has a review under way of all its HIPAA policies to make them compliant with changes under Omnibus, says Shallie Bryant, CaroMont assistant manager of HIPAA privacy and security.
And among the biggest of those efforts is "a mass search" to identify business associates that need to be tracked down to sign business associate agreements if contracts are missing, as well as to revise BA agreements if necessary.
Under HIPAA Omnibus, business associates and their subcontractors are liable directly for HIPAA compliance if they "receive, create, maintain or transmit protected health information on behalf of a covered entity." And as part of the compliance requirements, covered entities must have business associate agreements in place that spell out how these vendors are safeguarding protected health information, and also the obligation of business associates to notify the covered entity when there is a breach involving PHI.
Modifications to existing business associate contracts must be made by Sept. 23, 2014, but agreements for new relationships and contract renewals that were executed after the HIPAA Omnibus was published in January need to be modified by Sept. 23 of this year.
"Our business associate policies and agreements were close to the interim rule" on which much of the final rule is based, Bryant says. Still, CaroMont wants to ensure that all business associate relationships and agreements are properly accounted for now to ensure full compliance.
In Search of BAs
Hunting down business associate relationships is extra challenging for CaroMont because, like many other healthcare systems in the U.S., it has grown over the years through mergers and acquisitions. So, in addition to its medical center, CaroMont Health also has 45 primary care and specialty care practices, as well as a hospice and skilled nursing center. The business associate agreements in place at all of these facilities need to be accounted for, Bryant says.
To date, CaroMont has counted more than 250 business associates, but that tally is expected to grow as other relationships are identified.
"We need to understand who our business associates are who have PHI; who needs updates of contracts; and what are business associates doing with subcontractors?" Bryant says.
In rounding out that inventory, CaroMont is identifying the business associates through help of its accounts payable system, as well as through its legal contracts department.
Additionally, the compliance team is sending e-mails to department heads and managers, describing what the HIPAA Omnibus rule says, and asking if their staff work with vendors that handle PHI.
"We give them some examples" of who a business associate could be, she says. "The e-mails just pour in," she says of the general response. Her team also goes to senior leadership meetings and the executive team and says, "we need you to talk to your staff" so everyone is more aware of the need to identify and report business associate relationships.
"We are working with the compliance office and senior leaderships to get them to understand that if any new or current business associate is not prepared to follow the Omnibus rule, then we may have to terminate that relationship," Bryant says. "Based on those new fines and penalties, we can't take that chance" of a relationship with a business associate not ready to comply, she says. Under HIPAA Omnibus, fines can range up to $1.5 million per HIPAA violation.
So far, CaroMont has not determined any relationships that will need to be terminated, but Bryant's team is still collecting business agreements and determining who is handling PHI. "I can also tell you that there have been strong negotiations back and forth," in the modification to agreements when needed, she says.
For instance, CaroMont's business associate agreement requires that business associates notify CaroMont within five business days if they've had a breach involving PHI. "We often have push-back from some [vendors] saying 'we need 10 days, we need 15 days,'" she says. "But we can't do that. Under the [Omnibus] breach notification rule, we have 60 days to investigate and notify the patient without reasonable delay if there's a breach, so we need to know as soon as a breach is discovered."
Another requirement that's part of CaroMont's business associate agreements includes encryption.
"The HIPAA security rule does not specifically say 'you must encrypt.' However, it's highly recommended," says Bryant. "So when we sign a business agreement with someone who's storing our PHI, like a billing company, part of that is you have to make sure that information is encrypted," she says. "We've had some push-back where it's delayed the contract, but we'll stand firm."
Although the process of identifying and haggling with business associates isn't simple, one positive thing so far is that none of the vendors that CaroMont has deemed business associates has argued it's not a business associate, she says. "That hasn't happened."
Other HIPAA Compliance Efforts
Business associate matters aren't the only HIPAA Omnibus compliance efforts under way at CaroMont, explains Bryant. "We're taking a strong look at all our HIPAA policies, partnering with the security department and looking at their policies as well, to make sure we are following the final rule and also understand what fits our organization," she says.
Once all the revised policies are in place, her team will roll out new training, she says. "We don't just do computer-based training, we try to hit each individual department" with in-person education, Bryant says. "We have a couple training sessions a year that employees can sign up for. We go to the provider practices - we make sure they know what they need to do based on the Omnibus final rule to do their jobs," she says.
In addition to HIPAA training for employees, a recent rollout of a monitoring system from FairWarning is also assisting CaroMont in its HIPAA breach prevention efforts, Bryant says. CaroMont employees have been informed that CaroMont uses the monitoring system to detect record snooping and other inappropriate data access, she says. "If there's no culture of confidentiality, you have everyone doing their own thing," she says (see: Preventing Insider Breaches).