The HIPAA Omnibus Rule creates a complex chain of compliance liability among covered entities and their business partners.
UnderHIPAA Omnibus, covered entities, business associates, and subcontractors can be held responsible for the compliance conduct of their "downstream" partners.
For example, a practice could be responsible for the conduct of a downstream business associate if the vendor qualifies as an "agent" of the practice. The term "agent" refers to vendors that have received certain instructions from the covered entity about how to perform various functions.
As a result, if there is a breach in which an "agent" such as a business associate is at fault, the practice could face civil penalties.
Vendors providing services to healthcare organizations need to take the initiative to carefully determine if they qualify as a business associate under the expanded definition in HIPAA Omnibus including health information organizations and e-prescribing gateways. If they don't know they're a business associate, they might not be taking all the steps they need to comply. HIPAA Omnibus makes it clear that business associates and their subcontractors must comply with HIPAA provisions.