The final HIPAA Omnibus Rule is slated to go into effect later this year. How should we rework our business associate...
contracts? If a business associate finds itself in hot water for a HIPAA compliance violation, we don't want to be dragged along with it.
Ask the Expert!
Have questions about regulatory compliance? Send them via email today! (All questions are anonymous.)
The HIPAA Omnibus Rule 2013 went into effect in March, but organizations have until Sept. 23, 2013, to become compliant. It introduces a new set of requirements for organizations that handle protected health information (PHI) on behalf of HIPAA-covered entities. As in the past, these organizations, known as business associates, must sign HIPAA business associate agreements (BAAs) that require them to apply appropriate privacy and security controls to the information that they handle on behalf of the covered entity.
The Omnibus Rule makes several changes to existing regulations, and every covered entity should review its BAAs to ensure that they include two important elements. First, the BAA must clearly state that, if the covered entity is delegating any of its responsibilities under the Privacy Rule to the business associate, the BAA must require the business associate to comply with the Privacy Rule in the same manner as it would apply to the covered entity. Second, the regulations now clearly state that business associates are directly subject to the HIPAA Security Rule, and the BAA should be updated to reflect this fact.
The second major change applies directly to business associates by extending the HIPAA umbrella to any organization that the business associate uses as a subcontractor to perform HIPAA responsibilities or handle PHI. Under the new provisions of the rule, HIPAA responsibilities now follow the data wherever it goes and requires that organizations have formal BAAs in place to document this chain of protection.
In your question, you asked about liability for a breach. The terms of BAAs typically include a liability clause that requires the business partner to accept liability for the consequences of any security breach that occurs within their scope of responsibility. This is why it is in your best interest (and indeed your obligation under the new rules) to ensure that you have appropriate BAAs in place with your business partners and that you keep them updated to reflect changes in the regulations and your business processes.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.