Policing the 'Data Supply Chain'How to Protect Patient Data Wherever It Resides
That's because under HIPAA Omnibus, the responsibility to protect patient data runs downstream from covered entities to business associates and their subcontractors.
The rule states that business associates and their subcontractors that "create, receive, maintain or transmit protected health information for a function or regulated activity" are directly liable for HIPAA compliance.
As a result, all the business partners need to modify contracts and keep better tabs on where data flows.
"As a practical matter, what we're seeing is that the business associates are looking at their data supply chain and their internal controls," Stegmaier says in an interview with Information Security Media Group.
Covered entities' negotiations with business partners include discussions about responsibilities related to breach notification, as well as restitution if there is a breach. "People are concerned about what their responsibilities will be," he says.
"It's increasingly common that business associate agreements will require the business associate to execute sub-business associate agreements with their vendors and suppliers," he adds.
Still, many vendors are reluctant to sign business associate agreements, especially contracts that have them accepting breach responsibilities, added security burdens or costs related to protecting patient data, Stegmaier says.
"We are seeing those sub-business associates refusing to execute these business associate agreements, and trying to argue that they are not a business associate. ..." he says. "It's a difficult situation for a lot of providers downstream."
In the interview, Stegmaier also discusses:
- Steps to take if a vendor refuses to sign a business associate agreement;
- The difference between protecting PHI in a private vs. public cloud;
- Why HIPAA Omnibus will spur the increased use of encryption by cloud providers.
Stegmaier, CIPP/US, is a privacy and security attorney at Wilson Sonsini Goodrich & Rosati in Washington, D.C. He also serves as an adjunct professor at George Mason University School of Law. He formerly served as a member of the Virginia Legislature's Joint Commission on Technology & Science Privacy Advisory Committee and successor committees.