Don’t Let a Business Associate Compromise Your HIPAA Compliance

The following is a guest post by Kari Woolf, Senior Global Product Marketing Manager, Novell.
Kari Woolf - Senior Global Product Marketing Manager at Novell
Traditional healthcare organizations are no longer the only enterprises expected to comply with the strict rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) recently issued the final omnibus rule of HIPAA, which creates significant liability for many technology enterprises, as it has extended the requirement of HIPAA compliance to healthcare “business associates.”

Defining an “organization” and a “business associate.”

A healthcare organization is a healthcare provider, health plan or healthcare clearing house. A business associate is defined as any company that provides its services to healthcare providers, health plans or healthcare clearing houses. These organizations have always been required to comply with HIPAA. Under the new omnibus rule of HIPAA, business associates are now required to be HIPAA-compliant as well. Even companies that may not view electronic protected health information (ePHI), but store, transfer, conduct transactions or in any way manage files for healthcare organizations must comply, and healthcare organizations have to have a business associate agreement in place with those companies.

What does this mean for healthcare organizations?

Organizations often let their employees use cloud-based solutions because they believe sharing internally is not in violation of any HIPAA ordinance. However, any time a file is shared via the cloud it is then in the hands of a company that could be considered a business associate. In most cases, these business associates are not HIPAA-compliant, creating an unnecessary risk for the organization.

The business associate might get in trouble—but the healthcare organization is almost sure to get in trouble. HIPAA regulators are cracking down on traditional healthcare organizations. HHS recently announced the first HIPAA breach settlement involving less than 500 patients at the Hospice of North Idaho (HONI). According to the HHS resolution agreement, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices. This resulted in a $50,000 fine, a two year probation period and extensive reporting requirements for up to six years.

What can healthcare organizations do?

Regardless of any regulations, organizations must enable employee access to important materials from whichever devices or locations employees need to work from. This challenges IT to maintain control of ePHI while still enabling employees to access and share files.

An on-premise solution is a viable option for these organizations to remain HIPAA compliant. Employee productivity and user experience don’t have to be abandoned, as a robust on-premise solution can enable a cloud-like, user-friendly experience with corporate data and files. Organizations can remain HIPAA compliant with certain, trusted cloud solutions, but IT needs to ensure that the cloud provider they choose has the enterprise experience to keep data safe, and with controls and restrictions that only allow the right people to access the right files. Consumer-focused cloud solutions like Dropbox won’t be sufficient for HIPAA compliance. SkyDrive from Microsoft, for example, just announced that IT can now see who has viewed and altered certain documents from the platform. While this is a step in the right direction, visibility alone does not prevent data breaches; it only serves as a notification after the fact, when it may already be too late.

Here’s a quick list of action items to help you maintain HIPAA compliance:

  1. Consider an on-premise solution: Reconsider whether the trouble of relying on a business associate is worth the benefit. On-premise solutions offer all the same capabilities that cloud solutions do, and in fact, most on-premise solutions are more mature and offer better features. Most importantly, they provide a secure foundation for accessing and working with ePHI.
  2. Conduct a full audit of third-party apps in use: Popular mobile apps like Dropbox, Evernote and even Gmail are not HIPAA-compliant. Using these apps constitutes giving ePHI to noncompliant business associates.  Employees may not realize this—they simply want to use the apps they’re familiar with. You need to police the issue. Not sure how to do this? A good mobile device management solution should have tools to help you.
  3. Use a mobile device management tool that can remotely wipe a device if it is lost or stolen: This empowers the network administrator to track and manage access to sensitive data. If a device with ePHI is compromised the network administrator can quickly and efficiently delete the data and minimize any risks. Better yet…
  4. Use your mobile devices as gateways, not destinations: Employees are going to use mobile devices, and there’s little sense in trying to stop them. Instead, make sure those devices don’t become the destination for your ePHI and instead act as a gateway. Employees can access files through their mobile devices without having the actual files on the mobile devices. On-premise solutions will keep ePHI in your data center without it being compromised through cloud storage and file-sharing services.    
  5. Audit mobile devices frequently: All organizations need to have an updated auditing schedule for mobile devices to ensure they are in compliance with any and all organization and regulatory requirements.
  6. Sign a business associate agreement with any outside organization that touches your ePHI: If a cloud vendor or other business associate won’t sign an agreement, find one that will or consider an on-premise solution.

Kari Woolf is a Senior Product Marketing Manager and Collaboration Marketing Lead for Novell. She has been with the company for more than 14 years in a variety of marketing and communications capacities. In addition to her high tech marketing experience, she served as an account manager and content director for a creative agency specializing in live events. She holds a Bachelor of Arts degree in Political Science from Brigham Young University.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

1 Comment

  • I enjoyed the article. The strict rules under Omnibus are causing havoc for covered entities via their business associates. Here is my question, I deal with small practices, they are using an EMR and a lot of the EMR’s are only compatible with a single clearinghouse. The situation is that the EMR is “compliant” and has signed the BAA but the clearinghouse refuses to sign the CE’s BAA, they insist that the doctor accept the clearinghouse’s BAA, which leaves out many of the BA liability clauses. What can a small practice do? Switching EMR is extremely expensive and very disruptive to the practice.

Click here to post a comment