Final Omnibus Compliance – October 2013

Does your organization understand the conditions of HIPAA Final Omnibus compliance with respect to Business Associates? 

You had until September 23, 2013 to bring all Business Associate (BA) agreements into conformance with the new rules; however, BA agreements that were not renewed or modified between March 26, 2013 and September 23, 2013 are deemed compliant until the date the BA agreement is renewed or modified or until September 22, 2014, whichever is earlier.

When you do renew or modify your existing BA agreements, consider the new requirements:

  1. BAs must comply with the Security and Breach Notification Rules
  2. Physicians are still liable for the actions of their BAs who are agents – physicians are not liable for BAs who are independent contractors as BAs who are independent contractors are now directly liable for violations
  3. BAs are now responsible for there subcontractors

The most pronounced change under the HIPAA Final Omnibus Rule is the expansion of BAs to include both direct liability under most of the HIPAA Privacy and Security Rules and the obligation to enforce these rules with respect to their subcontractors. The obligations of physicians and other health care providers to protect patients’ protected health information (PHI) now extend to BAs who have access to PHI. The penalty for violations of any of these obligations is increased.

A detailed description of the provisions for a BA agreement can be found at the U.S. Department of Health & Human Services.

The three main areas of the Omnibus Final Rule focused on compliance with:

  • Privacy, Security, and Breach Notification policies and procedures
  • Notice of Privacy Practices (NPP)
  • Business Associate (BA) Agreements

We will review Breach Notification policies and procedures and NPPs in the December 2013 newsletter.

Stay current with HIPAA requirements through current educational online learning with HIPAA Exams. Current educational modules are available for Business Associates, Administrators, health care providers, and other health care workers.