Business associates of all sizes, as well as their subcontractors, must now get their HIPAA compliance act together.
When the new HIPAA Omnibus Rule (Mega Rule)takes effect in the months ahead (compliance date September 23, 2013), business associates and their subcontractors will be on the hook, along with the covered entities they serve, for health data breaches and HIPAA non-compliance issues. They now must comply or face investigations and potentially hefty financial penalties from the Department of Health and Human Services.
Business associates have long had privacy and security obligations under their contractual agreements with covered entities. But under the HIPAA omnibus rule, "for the first time, business associates will have some absolute obligations for how they can use and disclose the protected health information on behalf of a covered entity," says Susan McAndrew, deputy director of HHS' Office for Civil Rights, which enforces HIPAA. The new rule is "not so much an obligation change, but business associates can now be called for misuse or failure to safeguard this information," McAndrew explains.
"If there is a HIPAA non-compliance complaint or the breach, OCR can now directly investigate the business associate," McAndrew stresses. "If they violate the rule, they could face penalties as the covered entity does." Under the new regulations, penalties can range up to $1.5 million per violation.
While business associates and subcontractors of any size that have access to protected health information from covered entities will be subject to new HIPAA scrutiny, it is possible that smaller firms could have the biggest headaches in complying with the new rule.
Many that provide services to healthcare organizations find themselves facing the same challenges as thousands of smaller clinics with limited resources that are struggling to complete risk assessments and implement security plans.
Keep this in mind: Business associates of all sizes have been involved in about 21 percent of the major breaches listed on the HHS "wall of shame".
If you start picking through some of the more recent breaches involving business associates including incidents in the news that have not yet made it to the HHS tally you'll see several smaller firms pop up.
The bottom line in all this is that business associates and their subcontractors of all sizes have to re-examine how they're safeguarding their healthcare clients' data.
If they don't, they could find themselves coping with a federal investigation that could culminate with a fine big enough to hurt their profits or even their long-term viability.
Healthcare Compliance Pros is here to help Business Associates of all sizes. We have the answer to the compliance issues faced by them and the training they need for their employees.
Many Business Associates are in the dark about compliance with HIPAA. If you have questions about our Business Associates' compliance and training programs, please contact us and we will be happy to help you. If you have Business Associates whose compliance you are concerned about, please contact us.