Varnex: Updated HIPAA Guidelines Mean Changes For VARs

The clock is ticking for solution providers to ensure they are compliant regarding updated modifications to the Health Insurance Portability and Accountability Act of 1996.

The modifications could mean big changes for VARs, especially if they use subcontractors such as backup storage providers as part of their data protection solutions, said Mike Semel, president and chief compliance officer for Semel Consulting, a Las Vegas-based business continuity and compliance company, during a breakout session at Synnex's Varnex conference in Orlando, Fla., Monday.

The federal government formalized the HIPAA Omnibus Final Rule in January. It went into effect March 26, and companies and organizations have until Sept. 23 to become compliant under the new guidelines, Semel said.

[Related: Top Healthcare Breaches And The Rising Costs To Organizations ]

One of the most important aspects of the new rule for VARs is updated rules regarding the use of subcontractors classified as "business associates," companies that access and handle patient data on behalf of healthcare agencies. VARs need to sign business associate contracts with their healthcare clients, and they also must sign any company they work with around patient data, such as a colocation company or backup storage provider, to business associate contracts, Semel said.

"If you haven't signed them in the past, they need to be signed now," Semel said. "You're responsible for everybody behind you: online backup companies, data centers, maybe multiple data centers. You're responsible for all that."

If a data breach occurs and there is not a business associate contract in place, a VAR could face significant fines or penalties, Semel said.

"You've got $1.5 million riding on that, so it's worth it get it right," Semel said. The $1.5 million figure comes from a fine the Massachusetts Eye and Ear Associates agreed to pay after a doctor had an unencrypted laptop stolen that contained patient data, Semel said.

The Massachusetts case is just one of several high-profile, and expensive, fines levied against organizations that failed to protect sensitive patient data under HIPAA guidelines.

Judy Wendt, owner of Laser Tech, an El Paso, Texas-based solution provider, said her company has a lot of work to do to get compliant on the updated HIPAA guidelines.

"We do basically have our employees signed [under] the compliance and all that, and we do have some stuff in place but not nearly what we need to have," she said.

Wendt did not know about the change necessitating contracts from all subcontractors until sitting through the breakout session. "That's what we're going to have to do. I never even thought about that to tell you the truth. But that's OK, that's why I'm here," she said.

NEXT: Next Moves For VARs To Become Compliant

Thomas Neault, account executive at NetSync Network Solutions, a Dallas-based VAR, also wasn't aware of the changes to HIPAA guidelines. He said his company doesn't use third-party subcontractors, but it will still have to look for areas of risk.

"As a company, we'll do our own internal audit first to make sure we're in compliance," Neault said. "Our engineers do mostly new configuration stuff so we don't really handle things that have current patient data on them. However, if we start getting into more in-depth consulting services, we're going to have to go back and re-evaluate and make sure we're compliant."

All solution providers should very quickly review their agreements with subcontractors and get business associate contracts signed quickly, advised Semel, of Semel Consulting.

"If you wait, an online backup company may not sign an agreement. How fast can you change your online backup provider," he asked. "If you have subcontractor that touches patient data, any data you give them is a data breach if they don't sign a contract. You just breached and that is reportable and goes to government. You don't want to be doing that."

VARs should also create written policies and procedures around who handles patient data and train their employees on guidelines to protect that data. Create a "chain of evidence" for how patient data is treated, he said.

For example, if a VAR takes a PC out of the healthcare organization's environment to perform a repair, the VAR needs to carefully document where that PC went if it has patient data on it.

"You can't just throw it on the back seat of a car. Call the office; tell them you have it. Lock it in the trunk. Bring it back to your office and hand it to a service coordinator to lock in a cabinet until the service work is done. Reverse that process to bring it back to the client," Semel said.

"You want to be able to document the process to show to an auditor if there ever was a data breach," he said.

PUBLISHED APRIL 15, 2013