Supply chain managers are known for their organizing skills, thoroughness and tenacity. Add one more competency they must add to their repertoire: compliance, thanks to the HIPAA Omnibus rule which went into effect on March 23.
Written into the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, the new provisions require covered entities to implement additional safeguards to protect their patients’ electronic protected health information (ePHI). The rules include a stricter definition of patient information breaches and stronger privacy-related documentation provisions, including those associated with business associates. Hospitals face up to $1.5 million in fines for noncompliance and potential criminal prosecution from state attorneys general, not to mention the damage to their well-earned reputation and the publicity, if they suffer a data breach.
With so much at stake, hospitals need supply chain leaders to step in as compliance champions. The supply chain has the opportunity to establish enterprise initiatives to protect their organizations from ePHI threats, not only internally, but also from those presented by business associates. In return, the supply chain leader can expand their centralized management over spending to areas not traditionally overseen by supply chain. The supply chain function can play a mission critical role in regulatory and risk management, further reinforcing the strategic role that supply chain fulfills.
Business Associates Pose a Security Risk
Interestingly, the Omnibus provisions now hold healthcare organizations equally responsible for their business associates’ actions in relation to ePHI. This means that covered entities must assume greater oversight of their vendors’ hospital-based activities, or face the consequences if their vendor is involved in a data-related security incident. The move comes in light of revelations that patient information is still vulnerable to access by unauthorized individuals. A study by Office for Civil Rights (OCR) concluded that 45 percent of healthcare providers and other covered entities had an average of five HIPAA data breaches during any given hear year, 66 percent of which involved a business associate.
Among the more significant provisions, the Omnibus rule expands the definition of a “business associate.” Under the prior rules, hospitals typically only classified up to 500 vendors as business associates. Now, however, they will need to oversee up to 1,500 third-party firms, including subcontractors that create, receive, maintain or transmit protected health information (PHI) on behalf of business associates, as well as entities that provide data transmission services or that are required access to PHI on a routine basis. Firms that provide and manage personal health records on behalf of a healthcare organization, as well as financial institutions that provide services to healthcare providers are also covered by the provisions.
The new rules require supply chain leaders to elevate their vendor credentialing practices, requesting and receiving satisfactory assurances from their business associates with thorough documentation that they have implemented the appropriate security measures, policies and procedures to protect patient information. And they should do so quickly; hospitals must adhere to the new Omnibus rules by Sept. 23, 2013, or risk penalties for noncompliance.
Opportunities to Revamp the Supply Chain
The hospital supply chain can use this opportunity to increase the percentage of total spend that is centrally managed by the supply chain organization to provide greater control and cost reduction. Greater controls and oversight of areas of spending and vendor relationships that are typically not driven by the supply chain, such as IT, physician preference items and purchased services can be achieved. By including the business associate oversight task as part of their vendor management role, Supply Chain can significantly expand their strategic role. Since all hospital vendors require at least an initial review to determine their exposure to risk for an ePHI data breach, supply chain administrators must insert themselves in these areas, controlling them as part of their enterprise’s vendor management process.
Supply chain managers must initiate policies that will help organizations properly determine who is a business associate and ensure that they conform to the rules covering ePHI. Garnering administrative support from the compliance, legal and accounts payable departments, supply chain leaders will have assurances that vendors have provided the requested documents and are adhering to all of the hospital’s requirements. They should also begin triaging all vendors via technology solutions that assess business associates’ probability (none, low or medium to high) for a data breach. Combined with vendor surveys that ask questions about their readiness to protect ePHI, healthcare organizations will have additional information on which to base their risk analysis. All of these activities and the documentation of the actions taken are part of defending against allegations of lacking oversight or willful neglect and avoiding the worst case scenario penalties.
The new rules also create a platform for healthcare organizations to establish new contracts with their partners that include rules to ensure that business associates meet the internal standards the hospital has set for itself, such as performing background checks on all employees with hospital access and HIPAA training. These activities can be facilitated with procurement cycle management software which assists supply chain managers in vendor sourcing, contract workflow and archiving, credentialing and onboarding.
The new HIPAA Omnibus rule governing the protection of ePHI should not be taken lightly. The federal government will begin auditing covered entities this fall, utilizing information such as accounts-payable vendor files. If supply chain personnel are serious about audit compliance, and more importantly, protecting their patients’ protected health information, they will act today to implement a supply-chain-driven, technology supported business associate oversight program.
Mike Paris is vice president of eCommerce and supply chain solutions for Vendormate, which helps providers and vendors meet the regulatory and compliance requirements that form the foundation of strategic partnerships.