With the “meaningful use” provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), the U.S. government is actively encouraging healthcare organizations to switch from paper health records to electronic health records (EHRs), with incentive payments to providers that meet certain thresholds for use of EHR technology. The government’s rationale is that EHRs give patients greater access and control over their own information and allow hospitals to operate more efficiently. In line with this vision, healthcare organizations have entered new partnerships with technology firms to help them format, migrate, and store their information electronically. These vendors may in turn outsource operations to other companies, increasing the number of hands through which patient information gets passed.
Although these partners are vital to the modernization effort, they also expose healthcare management to new risks—an exposure that has recently become more acute. The final rule for HITECH states that, effective March 26, 2013, such business associates—a term extending to both contractors and subcontractors as well as contractors—are to be held liable for data breaches. (The final rule, which was published in the Jan. 25, 2013, Federal Register, adopts the proposal to apply the business associate provisions of the HIPAA Rules to subcontractors.) The final rule is intended “to strengthen the privacy and security protections … for individual’s health information maintained in [EHRs] and other formats.” Much of it focuses on the vendors that handle personal health information on behalf of healthcare organizations. Data suggest there is reason for concern: The U.S. Department of Health & Human Services reports that, since 2009, among breaches affecting more than 500 patients, 114 of the 543 have been due to actions of business associates.
What do these trends mean for healthcare management? The dual demands of greater accessand increased security will force healthcare organizations to be more proactive in selecting responsible vendors, ensuring their compliance with new regulations, and designing business associate agreements that outline clearly the responsibilities and liability should a data
This analysis was prepared by ACE Professional Risk, New York. For more information, contact Anthony Dagostino, vice president, at firstname.lastname@example.org or Michael Tanenbaum, senior vice president, at email@example.com
Publication Date: Monday, April 01, 2013