Search our website

Self Study Series
White Papers
Webinar Series
Special Reports
Resources & Agency Listings
Show Calendar
HPN Hall of Fame
HPN Buyers Guides
HPN ProductLink
Issue Archives
About Us
Contact Us

Receive our

KSR Publishing, Inc.
Copyright © 2016

         Clinical intelligence for supply chain leadership



October 2013

Having My Say


Supply Chain sees HITECH in HIPAA as business associates redefined

Vendor accountability increased for patient data access, privacy

by Gary Johnson

The healthcare supply chain is an intricate web of moving parts. Not only must managers continuously and closely monitor vendors that provide products and services that keep their organizations running optimally, they must also stay on top of increasingly demanding federal policies, such as the one that went into effect recently as part of the HIPAA Omnibus rule.

The final HIPAA Omnibus rule was written into the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. It became effective March 26, 2013 and requires covered entities (healthcare providers, health systems, health plans, clearing houses) and business associates to provide stronger privacy and security safeguards of their patients’ electronic protected health information (ePHI) or face financial penalties — up to $1.5 million in fines and potential criminal prosecution.

Additionally, the final rule expanded the definition of the business associate.

At its core, the purpose of the new rule is to better protect patients’ electronic health information. According to the Department of Health and Human Services (HHS) Secretary Kathleen Sebelius, "Much has changed in healthcare since HIPAA was enacted 15 years ago. The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age." It makes sense, if you transform an industry from paper records to electronic form and enable the fast movement of health information for care coordination, you will inevitably see more breaches — whether due to error or malice — and patients’ health information will be at risk.

Data breaches are a serious issue that supply chain leaders must address in their own right. In 2012, HHS reported that nearly half of all healthcare organizations experienced more than five breaches a year and that more than 40 percent involve third-party vendors. Additionally, the Office for Civil Rights (OCR) Pilot Privacy, Security, and Breach Notification Audit Program indicated that covered entities have insufficient levels of privacy and security controls of their protected health information and oversight of their business associates.

Business associates under scrutiny

Clearly, there is a problem with protecting patient data and business associates, and the final HIPAA Omnibus rule directly addresses those issues by expanding the definition of a business associate to include:

• Any downstream subcontractor that creates, receives, maintains or transmits PHI on behalf of the business associate, even if they have an indirect relationship with a covered entity;

• Health information organizations, e-prescribing gateways or other persons that provide data transmission services to a covered entity that require routine access to PHI; and

• Any person that offers a personal health record to individuals on behalf of a covered entity.

In recent interviews, compliance officers stated that the number of vendors classified as business associates under the old rule typically ranged between 200 and 750. Under the expanded definition, the same compliance officers believe that the number of vendors classified as business associates would rise to more than 1,000.

Additionally, healthcare organizations are learning that ePHI is part of many vendors’ work that was previously not considered a business associate or a data security risk. For example, HHS recently settled with a health plan for $1.2 million in a photocopier breach case in which 344,579 individuals were affected. Because of these recent settlements, as well as the potential for an OCR audit using the pilot protocol — which may randomly select vendors from a provider’s master vendor file to audit the "business associate" determination and documentation — many organizations are taking a more aggressive risk management stance by completing rigorous reviews of all vendors.

Healthcare organizations are establishing new policies and procedures for selecting vendors and determining a business associate’s status upfront. They are revising the vendor relationship management procedure and detailing the permitted uses of ePHI. Often, they are requiring proven assurances that the business associate will not use or further disclose ePHI information other than what is required by the contract and/or by law. Additionally, these covered entities are mandating that business associates use the appropriate safeguards to prevent the disclosure of the protected health information. And if a covered entity learns of a material breach or violation of the contract or agreement, they are required to take reasonable steps to cure the breach or end the violation — if they are unsuccessful, they must terminate the contract or arrangement.

Supply Chain clarion call

Supply Chain leaders must answer the bell. With HHS holding healthcare organizations equally responsible for their business associates’ actions in relation to ePHI, covered entities must assume greater oversight of their vendors’ hospital-based activities.

Supply Chain managers must step in as their organization’s HIPAA compliance champions regarding vendor relationship management, and take greater control over areas of non-labor spending that are typically not under their purview. As the photocopier breach example showed, it is critical that Supply Chain managers play a part in all vendor relationships including IT, physician preference items, research vendors, purchased services and vendors selected and used by ambulatory care providers that are part of the organization’s expanded care model.

The supply chain will also be relied upon to initiate policies to assist their organizations in determining exactly which vendors are business associates and ensure that they are conforming to the rules covering ePHI. With support from their compliance, legal and accounts’ payable departments, supply chain leaders will be confident that vendors have provided the requested documents and are adhering to all of the hospital’s requirements.

The documentation of policies in action as procedures is important for OCR audit readiness, and defending against willful neglect charges should a HIPAA data breach occur. These activities can be facilitated with procurement cycle management software from the appropriate partners which assists supply chain managers in vendor sourcing, contract workflow and archiving, credentialing and onboarding.

Supply Chain leaders should take advantage of the new rules. The official definition of "omnibus" according to Webster’s, "of, relating to or providing many things at once," causes most people to cringe. And in the case of the new regulations related to ePHI, the law should not be taken lightly.

But in the case of protecting patient data, more oversight isn’t necessarily a bad thing. With a supply chain oiled to perfection — one that has greater control over its business associates — healthcare organizations are afforded unique opportunities to negotiate new contracts with their partners that include rules to ensure that business associates meet the internal standards the hospital has set for itself. With a supply-chain-driven, technology supported business associate oversight program, they will be able to protect their hospital personnel, and even more importantly, their valued patients.

Gary Johnson serves as Chief Marketing Officer of Vendormate. Johnson has more than 20 years of industry experience growing B2B healthcare companies focused on software and devices.