Many vendors not ready for HITECH compliance

Vendors may be the Achilles heel of HITECH compliance, says L. Elise Dieterich, JD, a partner with the law firm Sullivan & Worcester in Washington, DC. "The important point here is that the HITECH amendments to HIPAA extended the rules and penalties that previously applied only to health care providers, to many of their vendors, as well," she says. "This means that both health care providers and all of their vendors that handle or have access to patient information should be revisiting their contracts to ensure that the contracts allocate the risk and responsibility associated with HIPAA compliance."

A key issue for providers implementing practice management systems and, in particular, electronic medical records, will be ensuring that their software provider and other vendors are fully compliant with HITECH, Dieterich says.

"Specifically, health care providers and their vendors now share responsibility — and liability — for any breach of confidentiality of patient information handled in electronic form," she says. "Health care providers must ensure by contract that their business associates meet the HITECH Act's expanded HIPAA requirements."

They may not be ready. Many business associates, that is, those who handle private patient information for health care organizations, are largely unprepared to meet the new data breach-related obligations included in the HITECH Act, according to the results of a survey by HIMSS Analytics, a not-for-profit subsidiary of the Healthcare Information and Management Systems Society (HIMSS) in Chicago.

Business associates can include everyone from billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, accounting firms, temporary office personnel, and offshore transcription vendors. The HIMSS Analytics research revealed that about one-third of business associates surveyed were not aware that they need to adhere to federal HIPAA privacy and security requirements. But the survey also revealed that health providers are taking action:

• 85% of health providers said they will take steps to ensure that data held by business associates will not be breached.

• Nearly half of hospitals, 47%, said they would actually terminate their contracts with their business associates for violations.

"Business associates could represent a risk to health care organizations, especially hospitals," says Lisa Gallagher, BSEE, CISM, CPHIMS, senior director, privacy and security for HIMSS. "The lack of awareness of new federal regulations by business associates, coupled with the large number of third parties hired by hospitals to control costs through outsourcing, points to a potential area of concern. Hospitals, in partnership with their business associates, need to actively prepare to comply with the new rules when these breaches happen."

The research also found that:

• 50% of large hospitals experienced at least one data breach this year;

• 68% of all hospitals indicated that the HITECH Act's expanded breach notification requirements will result in the discovery and reporting of more incidents, and 57% reported that they now have a greater level of awareness of data breaches and breach risk;

• 90% indicated they have changed or plan to change policies and procedures to prevent and detect data breaches.

HITECH leaves some thorny questions about business associates unanswered, says Glen Day, CISSP, CISM, a principal with the consulting firm of Booz Allen Hamilton in Los Angeles and the former chief privacy officer for Los Angeles County during the initial implementation of HIPAA. For instance, the law says business associates who suffer a privacy breach must report that to the health care provider, and the provider, because it has the primary relationship with the patient, is responsible for reporting the breach to the government and notifying patients.

"They don't say who's supposed to pay for that. So, is the hospital going to be on the hook when the associate caused the breach?" Day says. "Is the hospital going to have its brand damaged because of what a third-party contractor did? If risk managers aren't looking at the true risk of associates mishandling data, you probably won't write the contract with sufficiently strong language."

Day advises including contract provisions that make the associates responsible for any liability resulting from a breach. Demand this protection up front, because once a breach happens, the provider is obligated to notify patients, regardless of whether you are successful in trying to get the associate to do the right thing, Day says.

Risk managers also must be on the lookout for some tricky parts of HITECH, Day says. For instance, HITECH provides a safe harbor for the accidental release of information that was encrypted, so a data breach doesn't necessarily mean a privacy breach if that information was encrypted so as to make it useless to another party.

"But how is it encrypted? Is it encrypted with some simple password that can be broken by anyone with some simple tools in a matter of minutes? Was it encrypted using high-end technology that you can trust won't be broken?" Day says. "The government tells you what to do — but not how well to do it. So, providers need to take ownership of how well they need to do it, based on existing risks, existing threats, and how you do your business."


For more information on HITECH risks from vendors, contact:

• Glen Day, CISSP, CISM, Principal, Booz Allen Hamilton, Los Angeles. Telephone: (310) 297-2120. E-mail:

• L. Elise Dieterich, JD, Partner, Sullivan & Worcester, Washington, DC. Telephone: (202) 370-3925.