Varnex: Updated HIPAA Guidelines Mean Changes For VARs


The clock is ticking for solution providers to ensure they are compliant regarding updated modifications to the Health Insurance Portability and Accountability Act of 1996.

The modifications could mean big changes for VARs, especially if they use subcontractors such as backup storage providers as part of their data protection solutions, said Mike Semel, president and chief compliance officer for Semel Consulting, a Las Vegas-based business continuity and compliance company, during a breakout session at Synnex's Varnex conference in Orlando, Fla., Monday.

The federal government formalized the HIPAA Omnibus Final Rule in January. It went into effect March 26, and companies and organizations have until Sept. 23 to become compliant under the new guidelines, Semel said.

 

[Related: Top Healthcare Breaches And The Rising Costs To Organizations]

One of the most important aspects of the new rule for VARs is updated rules regarding the use of subcontractors classified as "business associates," companies that access and handle patient data on behalf of healthcare agencies. VARs need to sign business associate contracts with their healthcare clients, and they also must sign any company they work with around patient data, such as a colocation company or backup storage provider, to business associate contracts, Semel said.

"If you haven't signed them in the past, they need to be signed now," Semel said. "You're responsible for everybody behind you: online backup companies, data centers, maybe multiple data centers. You're responsible for all that."

If a data breach occurs and there is not a business associate contract in place, a VAR could face significant fines or penalties, Semel said.

"You've got $1.5 million riding on that, so it's worth it get it right," Semel said. The $1.5 million figure comes from a fine the Massachusetts Eye and Ear Associates agreed to pay after a doctor had an unencrypted laptop stolen that contained patient data, Semel said.

The Massachusetts case is just one of several high-profile, and expensive, fines levied against organizations that failed to protect sensitive patient data under HIPAA guidelines.

Judy Wendt, owner of Laser Tech, an El Paso, Texas-based solution provider, said her company has a lot of work to do to get compliant on the updated HIPAA guidelines.

"We do basically have our employees signed [under] the compliance and all that, and we do have some stuff in place but not nearly what we need to have," she said.

Wendt did not know about the change necessitating contracts from all subcontractors until sitting through the breakout session. "That's what we're going to have to do. I never even thought about that to tell you the truth. But that's OK, that's why I'm here," she said.

NEXT: Next Moves For VARs To Become Compliant