With the HIPAA Omnibus Rule in full effect, one of the big changes is the newfound liability on business associates. While covered entities have always been required to enter into business associate agreements (BAAs) with service providers, the Omnibus Rule extends the government's regulatory reach through those agreements.
Service providers who sign BAAs are now subject to the direct regulatory authority of the Department of Health and Human Services (HHS). In addition, covered entities now share liability for the actions of business associates.
In this tip, we'll discuss what HIPAA-compliant organizations must understand about the changing role of business associates, and the business processes enterprises must adjust to comply with the Omnibus Rule.
The changing role of business associates
Hospitals, health insurers, medical practices and other HIPAA covered entities often rely upon a range of outside service providers to assist with administrative, patient care and other tasks in which the provider comes into contact with protected health information (PHI). In those cases, the provider is considered a business associate under the HIPAA regulation and the covered entity is required to have the provider enter into a BAA, which states in writing how the service provider will protect PHI and ultimately support the HIPAA-compliant organization's compliance efforts.
With the release of the HIPAA Omnibus Rule, HHS has expanded the definition of business associate to include several new types of entities. First, organizations that engage in patient safety activities, such as medical error reporting, are now considered business associates. Second, the definition now includes health information organizations, e-prescribing gateways and other organizations that provide data transmission services. Finally, and perhaps most significantly, the business associate relationship now extends to subcontractors working with PHI on behalf of business associates.
Also, under the new rule, HHS is extending its direct regulatory authority to those business associates and their subcontractors. This includes the ability of HHS to audit compliance with HIPAA and conduct enforcement actions against business associates found to be non-compliant. This is a major change for business associates, as they are now in the direct line of fire for the expected series of HIPAA audits coming in 2014.
Action plan for covered entities
What do these changes mean for HIPAA covered entities? Basically, there is some housekeeping to take care of, specifically, ensuring that all business associate agreements are in order.
The first step of this process should be to conduct a complete review of all service providers to ensure that there are BAAs in place where needed. If a business relationship involves the sharing of protected health information, it is likely that a BAA is necessary.
Next, review the actual language of the BAAs that are already signed to ensure that they meet the requirements of the HIPAA Omnibus Rule. This is not a task for security professionals, as it requires legal expertise. Consult with attorneys and request that they review each agreement to verify compliance. HHS provides a sample BAA template on its website that can be modified to suit specific needs.
Finally, meet with each business associate and request that they provide assurance of HIPAA compliance. Depending upon the level of scrutiny, it's possible to request the results of an independent HIPAA assessment, conduct an independent control review or rely upon a description of controls provided by the supplier. Why go to this trouble? Every organization bound by HIPAA is now on the hook for business associate compliance. Under the old rules, covered entities were not liable for the actions of business associates. The provisions of the Omnibus Rule, however, make covered entities liable for the actions of business associates who are acting as agents of the covered entity. In other words, if a business associate suffers a data breach involving PHI, the HIPAA-compliant organization may be looking at a compliance violation, and the fines and bad press that come with it.
The provisions of the Omnibus Rule make quite a few changes to the relationship between covered entities and their business associates. In addition to some expansion of the definition of business associates, the rule creates new liabilities for both parties to a BAA. Without question, the biggest takeaway is this: If you haven't done so already, it's time to review those BAAs!
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.