The final HIPAA Omnibus Rule is slated to go into effect later this year. How should we rework our business associate...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
contracts? If a business associate finds itself in hot water for a HIPAA compliance violation, we don't want to be dragged along with it.
Ask the Expert!
Have questions about regulatory compliance? Send them via email today! (All questions are anonymous.)
The HIPAA Omnibus Rule 2013 went into effect in March, but organizations have until Sept. 23, 2013, to become compliant. It introduces a new set of requirements for organizations that handle protected health information (PHI) on behalf of HIPAA-covered entities. As in the past, these organizations, known as business associates, must sign HIPAA business associate agreements (BAAs) that require them to apply appropriate privacy and security controls to the information that they handle on behalf of the covered entity.
The Omnibus Rule makes several changes to existing regulations, and every covered entity should review its BAAs to ensure that they include two important elements. First, the BAA must clearly state that, if the covered entity is delegating any of its responsibilities under the Privacy Rule to the business associate, the BAA must require the business associate to comply with the Privacy Rule in the same manner as it would apply to the covered entity. Second, the regulations now clearly state that business associates are directly subject to the HIPAA Security Rule, and the BAA should be updated to reflect this fact.
The second major change applies directly to business associates by extending the HIPAA umbrella to any organization that the business associate uses as a subcontractor to perform HIPAA responsibilities or handle PHI. Under the new provisions of the rule, HIPAA responsibilities now follow the data wherever it goes and requires that organizations have formal BAAs in place to document this chain of protection.
In your question, you asked about liability for a breach. The terms of BAAs typically include a liability clause that requires the business partner to accept liability for the consequences of any security breach that occurs within their scope of responsibility. This is why it is in your best interest (and indeed your obligation under the new rules) to ensure that you have appropriate BAAs in place with your business partners and that you keep them updated to reflect changes in the regulations and your business processes.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case...continue reading
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple ...continue reading
Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.