The final HIPAA Omnibus Rule is slated to go into effect later this year. How should we rework our business associate...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
contracts? If a business associate finds itself in hot water for a HIPAA compliance violation, we don't want to be dragged along with it.
Ask the Expert!
Have questions about regulatory compliance? Send them via email today! (All questions are anonymous.)
The HIPAA Omnibus Rule 2013 went into effect in March, but organizations have until Sept. 23, 2013, to become compliant. It introduces a new set of requirements for organizations that handle protected health information (PHI) on behalf of HIPAA-covered entities. As in the past, these organizations, known as business associates, must sign HIPAA business associate agreements (BAAs) that require them to apply appropriate privacy and security controls to the information that they handle on behalf of the covered entity.
The Omnibus Rule makes several changes to existing regulations, and every covered entity should review its BAAs to ensure that they include two important elements. First, the BAA must clearly state that, if the covered entity is delegating any of its responsibilities under the Privacy Rule to the business associate, the BAA must require the business associate to comply with the Privacy Rule in the same manner as it would apply to the covered entity. Second, the regulations now clearly state that business associates are directly subject to the HIPAA Security Rule, and the BAA should be updated to reflect this fact.
The second major change applies directly to business associates by extending the HIPAA umbrella to any organization that the business associate uses as a subcontractor to perform HIPAA responsibilities or handle PHI. Under the new provisions of the rule, HIPAA responsibilities now follow the data wherever it goes and requires that organizations have formal BAAs in place to document this chain of protection.
In your question, you asked about liability for a breach. The terms of BAAs typically include a liability clause that requires the business partner to accept liability for the consequences of any security breach that occurs within their scope of responsibility. This is why it is in your best interest (and indeed your obligation under the new rules) to ensure that you have appropriate BAAs in place with your business partners and that you keep them updated to reflect changes in the regulations and your business processes.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Here are some important criteria for hiring a partner to review your information security program, with a focus on HIPAA and HITECH compliance.continue reading
New guidance from the PCI SSC includes some essential aspects of tokenization security and what merchants need to know about tokenization products.continue reading
HIPAA data breach reporting now uses an electronic Web portal, so what does this mean for covered entities? Expert Mike Chapple explains.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.