To comply with the HIPAA Omnibus Rule, business associates and their subcontractors must immediately take several steps, including thoroughly documenting their privacy and security practices.
HIPAA Omnibusmakes it clear that business associates and their subcontractors must be HIPAA compliant or risk stiff penalties. As a result, they need to conduct a risk assessment, make appropriate use of encryption and take other precautions to ensure full compliance by the September 23 deadline.
What business associates have done previously will no longer be sufficient. They will be as accountable as covered entities for protecting patient information.
Business associates also need to update their agreements with their subcontractors and carefully monitor their partners' efforts to protect patient data. "They own this now," says security expert Susan Lucci, about business associates' accountability for HIPAA compliance.
As a result of the HIPAA Omnibus Rule, covered entities will be making more demands of their business associates, she says. "We're seeing more and more business associate agreements transfer all the costs of breach remediation to business associates (when the BA is responsible for the breach)," Lucci notes.
Compliance Steps
Following are steps that business associates and subcontractors need to take to prepare for this new compliance burden, including:
- Provide annual training for managers and employees
- Identify privacy and security officers in their organizations;
- Encrypt devices that store patient information;
- Thoroughly document a risk analysis;
- Assess how to provide patients with an accounting of disclosures of their protected health information.
Business associates and subcontractors need to remember that the Department of Health and Human Services plans to eventually randomly audit their HIPAA compliance.
Who are Business Associates?
A Business Associate is any person or company that a covered entity (medical practice) hires to have access to and handle protected health information on behalf of the covered entity. Following are some examples of business associates:
- Legal Services
- Accounting Services
- Billing Services
- Collection Agencies
- Transcription Services
- Consulting Services
- Hardware and Software Support
- Claims Processing
You should ensure that all of your business associates are HIPAA compliant. If you direct them to us, we can help them become compliant. It is very important to you that all of your BAs are compliant and protecting your PHI as required by the new HIPAA Omnibus law.