• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Student360
  • About
    • Secure360
    • UMSA
  • Secure360 2022
  • For Sponsors
  • For Speakers
  • Get Involved
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

Information security and privacy management in healthcare

March 28, 2013 by Rebecca Herold

healthcare-information-security

Image courtesy of PivotPointSecurity.com

Historically, organizations that outsourced have pretty much done just one thing to ensure their outsourced business partners would appropriately protect the information with which they had been entrusted access or possession: Include a brief information security clause with no details to speak of. Oh, and also include a lengthier “No Liability,” or “Limited Liability,” clause to try and not be held accountable for the bad things that happens to their information under their business partner’s care.

However, the recently released HIPAA Omnibus Rule makes clear that, in the healthcare space, such attempts will no longer make a difference, and that covered entities (CEs) will be able to be found liable for the actions of their business associates (BAs). This is an important tide-change that will soon ripple throughout all other industries with regard to holding organizations responsible, to varying extents, for the actions of their outsourced business partners.

Consider the discussion the Department of Health and Human Services (HHS) included in the 563 page tome that is the Final Omnibus Rule. They emphasized that the changes:

“make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.

Section 160.402(c) closely tracks the language in section 1128A(l) of the Social Security Act, which is made applicable to HIPAA by section 1176(a)(2) of such Act, which states that ‘‘a principal is liable for penalties . . . under this section for the actions of the principal’s agents acting within the scope of the agency.’’ One reason for removing the exception to the general provision at § 160.402(c), as we explained in the NPRM, is to ensure, where a covered entity or business associate has delegated out an obligation under the HIPAA Rules, that a covered entity or business associate would remain liable for penalties for the failure of its business associate agent to perform the obligation on the covered entity or business associate’s behalf.”

The emphasis in the above is mine. It seems this logic, would apply to organizations in any type of entity, wouldn’t it? Especially since the basis is the Social Security Act, which all businesses must observe? I’ve had some interesting discussions with some of my privacy lawyer friends, some who believe strongly it will, and some who believe it won’t. Such uncertainty tells me that it will ultimately become a matter that a court decision decides, most likely sooner rather than later.

It has always been a good business idea to make sure that the organizations that are entrusted with business and customer information with have strong controls in place to protect that information. Even without any explicit statements such as those made by the HHS, whenever it comes time to file a civil suit, the chances are the entity with the deeper pockets, which is usually the business that is doing the outsourcing to another entity, will be the one that will be taken to court.

Does a business really want to take such a large gamble that their business partners don’t need any information security and privacy oversight, when losing that gamble could result in a loss of literally millions of dollars and decades of regulatory agency audits and oversight?

Filed Under: Guest Posts

About Rebecca Herold

Rebecca is a widely recognized and respected expert in information privacy, security and compliance. Rebecca has been named in the “Best Privacy Advisors in the World” list all years Computerworld magazine has released their rankings, along with receiving many other awards and recognitions. Rebecca has been leading the NIST Smart Grid privacy subgroup since June, 2009. Rebecca’s Compliance Helper service helps healthcare organizations and their business associates to meet their HIPAA, HITECH and other information security and privacy requirements. Rebecca has been an Adjunct Professor for the Norwich MSIA program since 2004, and she is working on her 15th published book.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. smallarmy
    smallarmy: @TylerCohenWood @Secure360 Good
    about 1 day ago

  2. Secure360 Conference
    Secure360 Conference: Woo hoo!! Thanks to everyone who donated and for those who would still like to, you can do so at… https://t.co/jW3EsvOAFp
    about 1 day ago

  3. Bryghtpath LLC
    Bryghtpath LLC: Bryghtpath CEO @bryanstrawser presented last week at the @Secure360 Conference on "Navigating the Ransomware Challe… https://t.co/iXa3JeRKNN
    about 3 days ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2022 Secure360. All rights reserved.