TRENDING:

Policing the 'Data Supply Chain'

How to Protect Patient Data Wherever It Resides Marianne Kolbasuk McGee (HealthInfoSec) • August 23, 2013     12 minutes   
Policing the 'Data Supply Chain'
An important aspect of HIPAA Omnibus Rule compliance for covered entities as well as business associates and their subcontractors is policing what privacy attorney Gerard Stegmaier calls "the data supply chain."

That's because under HIPAA Omnibus, the responsibility to protect patient data runs downstream from covered entities to business associates and their subcontractors.

The rule states that business associates and their subcontractors that "create, receive, maintain or transmit protected health information for a function or regulated activity" are directly liable for HIPAA compliance.

As a result, all the business partners need to modify contracts and keep better tabs on where data flows.

"As a practical matter, what we're seeing is that the business associates are looking at their data supply chain and their internal controls," Stegmaier says in an interview with Information Security Media Group.

Covered entities' negotiations with business partners include discussions about responsibilities related to breach notification, as well as restitution if there is a breach. "People are concerned about what their responsibilities will be," he says.

"It's increasingly common that business associate agreements will require the business associate to execute sub-business associate agreements with their vendors and suppliers," he adds.

Vendor Reluctance

Still, many vendors are reluctant to sign business associate agreements, especially contracts that have them accepting breach responsibilities, added security burdens or costs related to protecting patient data, Stegmaier says.

"We are seeing those sub-business associates refusing to execute these business associate agreements, and trying to argue that they are not a business associate. ..." he says. "It's a difficult situation for a lot of providers downstream."

In the interview, Stegmaier also discusses:

  • Steps to take if a vendor refuses to sign a business associate agreement;
  • The difference between protecting PHI in a private vs. public cloud;
  • Why HIPAA Omnibus will spur the increased use of encryption by cloud providers.

Stegmaier, CIPP/US, is a privacy and security attorney at Wilson Sonsini Goodrich & Rosati in Washington, D.C. He also serves as an adjunct professor at George Mason University School of Law. He formerly served as a member of the Virginia Legislature's Joint Commission on Technology & Science Privacy Advisory Committee and successor committees.

Previous
HIPAA Audits: Documentation Tips
Next
HIPAA Omnibus: Compliance Update



Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing omnibus.healthcareinfosecurity.com, you agree to our use of cookies.