HIPAA and the Business Associate: What to Expect for 2016

Over the course of the following year, federal regulators must increase their efforts to apply HIPAA compliance to business associates because so few have mature security controls. Mac McMillan, the security expert and CEO of the consulting firm CynergisTek, argues this point.

In 2013, business associates became directly responsible for HIPAA compliance under the HIPAA Omnibus Rule. However, the Department of Health and Human Services’ Office for Civil Rights still has not reported implementing any actions against vendors. McMillan states that it’s unfortunate, considering many of the companies that serve healthcare covered entities have not yet taken on the responsibility of safeguarding protected patient information.

“I’d like to see some of [OCR’s] attention go to vendors with respect to the folks who are housing critical systems … and critical data for our hospitals, and making sure they are doing the job that the hospital is expected to do in protecting patient information,” McMillan states in his interview with Information Security Media Group.  McMillian describes what he considers “the lack of maturity in respect to security controls and security programs” for many business associates.

In a number of cases, MacMillan has said, if business associates “are doing anything at all, they’re doing things like SOC 2 [Service Organization Control] evaluations around their data centers, and they look at their [HIPAA] requirements, and it’s not that at all. That tells me how well you’re managing your data center, but that doesn’t tell me what your security program is like … or how you’re educating your workforce, or how you’re managing their access to patient information or handling that information. What’s most troubling to me is when we engage with a lot of the business associates today, we are finding out that they don’t have mature security programs at all.”

What to Expect in 2016

Looking to 2016, McMillan is anticipating an increase in cyber-attacks towards healthcare companies housing client information. He’s stated, that “We’re going to see more external threats”, and  “The bad guys have figured it out that they can monetize the data that [the healthcare sector] has … and that the information is not perishable; it’s something that can be sold over and over again on the black market and is much more valuable than credit card information.”

Mac McMillan is a co-founder and the CEO of CynergisTek Inc., a consulting firm based out of Austin, Texas. They specialize in information security and regulatory compliance in healthcare, financial services and additional industries. McMillan’s impressive resume includes over 30 years in security and risk management as well as 20 years at the Department of Defense. McMillan is also chair of HIMSS’ (Healthcare Information Management and Systems Society) privacy and security task force.