This article first appeared in mHealthNews on December 9, 2014. Click here to see the original version.


When the Final Omnibus Rule came into effect on March 23, 2013, the intent was to make business associates (BAs) more accountable for the protection of the data they were managing on behalf of covered entities (CEs) such as hospitals or health plans. Prior to this, BAs were only liable for whatever was put into a Business Associates Agreement (BAA) by the CE, and even then that liability was restricted to any civil action that may be taken by the CE.

However, the Final Omnibus Rule extended the same federal provisions to BAs that had previously been restricted to CEs, meaning that whether a business associate signed a BAA or not, they were federally required to operate in accordance with the Security, Privacy and Breach Notification rules. Failure to do so could result in federal penalties of up to $1.5 million per breach type, and even criminal prosecution.

This change was driven by the fact that an increasing percentage of heathcare data is being managed by BAs such as health IT vendors. While covered entities still account for the majority of breach incidents, BAs are responsible for most of the records breached.

However, after an initial flurry of activity before and after this date, most business associates have responded to this change with general apathy. Being in a position to talk to companies every day who operate as business associates, I am repeatedly underwhelmed by their efforts to take security and compliance seriously, despite this change in the law. Indeed, even when offered the chance to enhance their security posture and, by extension, their compliance to HIPAA regulations in a simple an affordable manner, many decline to do so, stating a conflict of priorities. It’s not that they are necessarily unaware of the potential consequences – rather, they simply do not see it as a sufficient priority. They often see themselves as being too small, or that they first need to build a business before worrying about protecting it. And the reality is they see no immediate consequence to their procrastination.

It’s like the speed limit being reduced from 65 mph to 55 mph. While notices are posted, after initial caution by drivers, they see no police cars on the side of the road or any evidence that anyone is being pulled over, so they don’t reduce their speed. Indeed, as more cars come onto the freeway some start to go faster, which encourages others to follow suit. Everyone knows they are speeding, but then everyone else is doing it and no one seems to be getting penalized for it.

The challenge for companies is that while there may not be visible enforcement right now, that is because it takes a while for breaches to be discovered, investigated and adjudicated – on average about three years. Most HIPAA judgments being pronounced today relate to breaches that occurred in 2011.

So to extend the previous analogy, while there may not be police visible on the side of the road, there are speed cameras. The violators will not receive their speeding ticket until a considerable time after the offence was committed, meaning they continue to speed long after their first offence.

In terms of HIPAA enforcement that means most judgments will not become public until 2016, at which time I would hope most BAs will already have realized that it can happen to them, and will have started making adequate protections an imperative. But until they do, they will need to hope they do not drive past an OCR speed camera.

Grant Elliott is the founder and CEO of Ostendio, an Arlington, Va.-based information security compliance company, and co-founder and president of the Health Care Cloud Coalition (HC3).