Probably one of the biggest changes concerning the Omnibus HIPAA rule released on Jan. 24th pertains to Business Associates (BA‘s) and sub-contractors. HHS made it clear that BA’s are bound by the same standards for securing data and compliance that Covered Entities (CE‘s) are. If you are a BA to a CE, then you have until Sept. 24, 2013 to achieve compliance. What does this really mean? It means that you need to have policies and procedures for managing and protecting PHI, you will need to document that those policies and procedures are being followed and you will need to provide HIPAA training annually to your staff that are engaged in activities for the CE. BA’s are now required to report breaches and assume full responsibility to PHI in their possession. The article below goes in to more detail but if you haven’t done this as a BA, then it’s time to get a move on. If you are a CE, then it’s time to review those BA contracts and ensure that they reflect the changes in the law and require BA’s to fulfill their security obligations under the law.
To comply with the HIPAA Omnibus Rule, business associates and their subcontractors must immediately take several steps, including thoroughly documenting their privacy and security practices, says security expert Susan Lucci.
HIPAA Omnibus makes it clear that business associates and their subcontractors must be HIPAA compliant or risk stiff penalties. As a result, they need to conduct a risk assessment, make appropriate use of encryption and take other precautions to ensure full compliance by the September deadline, Lucci stresses.
“What [business associates] have done previously will no longer be sufficient … They will be as accountable as covered entities” for protecting patient information, Lucci, a consultant with Just Associates, says in an interview with HealthcareInfoSecurity.
Business associates also need to update their agreements with their subcontractors and carefully monitor their partners’ efforts to protect patient data. “They own this now,” Lucci says about business associates’ accountability for HIPAA compliance.
As a result of the HIPAA Omnibus Rule, some covered entities, such as hospitals and clinics, will be making more demands of their business associates, she says. “We’re seeing more and more business associate agreements transfer all the costs of breach remediation to business associates [when the BA is responsible for the breach],” she notes.
In the interview, Lucci discusses steps that business associates and subcontractors need to take to prepare for this new compliance burden, including:
- Identify a privacy officer in their organizations;
- Encrypt devices that store patient information;
- Thoroughly document a risk analysis;
- Assess how to provide patients with accounting of disclosures of their protected health information.
