OCR has long had a policy of focusing on compliance before enforcement and an even-handed approach to dealing with those that had incidents. Organizations that do not follow this process, and who become aware of a noncompliant situation, fail to remedy it and continue to utilize the vendor in question, will increase their own liability for enforcement action in the event of an incident. If that doesn’t work, the next step is to report the vendor to OCR. The entity can terminate the relationship or provide them with some period of time to fix the issue.
HIPAA’s security rule provides for remedies when faced with a vendor who has demonstrated some form of noncompliance. Covered entities who do not take this seriously run the risk of possible implication during a review or investigation of one of their vendors by the OCR as a result of a breach or complaint. It assumes due diligence prior to contracting, evaluation of capabilities during contracting, and monitoring throughout the contract. It also describes a new focus on incidents occurring with a business associate being a shared responsibility, assumes a closer degree of collaboration between covered entities and business associates, and emphasizes that covered entities have a clearer understanding of their vendor’s ability to protect their data appropriately. The omnibus rule clearly delineates who is a business associate and when that liability occurs and at the same time makes it clear that vendors doing business with healthcare entities will be subject to the same level of scrutiny as their covered entity counterparts. Indeed, there is plenty to understand about the Final Rule on Privacy & Security. It is not likely to dramatically change OCR’s approach to enforcement, however, or the office’s commitment to the protection of patient information through appropriate compliance as the primary goal of its enforcement activities. HIPAA provisions now apply to Business Associates, creating new accountabilities for vendors doing business with healthcare, which increases the Office for Civil Rights (OCR) flexibility in pursuing formal action, and provides for an expanded set of subjective criteria for determining fines. The omnibus rule, which kicked in a little over a month ago in September, establishes a new set of expectations and possibilities on the enforcement front.