The HIPAA/HITECH final omnibus rule may make business associates responsible for ensuring the security of protected health information (PHI) but it does not let covered entities off the hook as regards ultimate responsibility for that data.
That is the view of Kimberly Holmes, deputy worldwide healthcare product manager for specialty lines at the Chubb Group of Insurance Companies.
“The final rule has expanded the definition of business associate to really be anybody who touches and handles PHI on the covered entity’s behalf, not just transmits or stores it,” she said. “Those business associates now can be directly liable themselves, so the department of Health and Human Services can go after them directly for liability if there is a data breach.
“But the covered entity is never off the hook for ultimate liability because it’s they who own the PHI so the onus is on them, the covered entity, to do their homework and do their due diligence.”
She said that covered entities should do everything they can to ensure that the vendors and service providers they deal with have adequate safeguards in place to prevent a data breach from occurring.
“You need to vet those associates and make sure they have the right controls, protocol, training requirements etc, because at the end of the day the covered entity always owns that liability under HITECH. The covered entity is never off the hook.”
PHI, Chubb Group, HITECH, Health and Human Services