By Ruby Raley, Director of Healthcare Solutions, Axway
Satisfying the now-in-effect HIPAA Omnibus Rule won’t be a one-time, check-the-box effort for the healthcare industry.
It’ll be a continuous effort, and you won’t have to look any further than the U.S. Department of Health and Human Services’s definition of a business associate (BA) to see why:
Business associates include those that perform services on behalf of the covered entity, such as claims processing, data analysis, utilization review, and billing, or provide services to the covered entity, such as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. To be a business associate, the work of an organization must deal directly with the use or disclosure of protected health information.
In other words, most everyone you come into contact with (who isn’t a patient) will be a BA. So to satisfy the Rule, you’ll have to conduct full HIPAA and NIST security overviews and ensure that everyone from patients to BAs understand and comply. This includes having patients re-sign your updated patient privacy notices and ensuring that BAs:
- Recognize that self-paying patients’ data can’t be shared with their health plan
- Comply with security standards; administrative, physical, and technical safeguards; and policies and procedures
- Understand how and when you and BAs can disclose protected health information
- Guarantee that every contractor you and/or the BA hires abides by these requirements
It’s a lot of work, and when you add to that the demands of governing the flow of data in and out of your organization, your life as a healthcare professional has just become immeasurably more complicated than ever before.
But there’s an opportunity here to combine two initiatives and do all this work just once, one that industry leaders like Kaiser Permanente are taking advantage of — giving patients access to health information on mobile devices.
Patients want to set appointments and reminders, view test results, and seek health-and-wellness advice from their mobile device, the enablement of which falls squarely under the Rule. And that means you can actually distinguish your organization as a leader in your market while abiding by HIPAA mandates and Meaningful Use Stage 2.
In fact, putting the patient in control can reduce the number of BAs needed. For example, offering mobile access can reduce the need for mailers and printing services – a significant source of large breaches. (Stuffing envelopes, it turns out, is more dangerous than it seems, especially if there is an issue early in the print run.)
There’s a nexus of forces coming together to give you the opportunity to do the right thing, on the right device, at the right time. An opportunity to check-box security and privacy rules in a much more time-sensitive way, one that wouldn’t be possible with a mere fax machine or even an outsourced service. You can now know whether patient information can be shared and whether they wish to pay out-of-pocket. You can even put the patient in control of their information by policy-checking data exchange at a centralized gateway — an API management service. With a single front door, centralized credential management, and policy-enforced interactions, self service and data-flow governance is now possible.
So take advantage of it! Don’t mistake the HIPAA Omnibus Rule as yet another stale, dry compliance/regulatory thing to enforce, something you’re being coerced to bolt on.
Instead, commit to merging it with your prerequisites for Meaningful Use Stage 2, and watch as it helps you solve your pre-existing administrative challenges in a much more transparent and timely way.
