There is lots of buzz about the changes to Business Associates under the new HIPAA Omnibus Rule. Let’s take a look at some of the items that both Covered Entities (CE) and Business Associates (BA) should know about the new HIPAA changes.
Who are Business Associates?
The definition of Business Associates for the most part has not changed. Simply stated, a HIPAA Business Associate is an organization or individual that performs services for a covered entity (healthcare organization) that has access to protected health information (PHI). PHI is also known as patient information.
What did the HIPAA Omnibus Rule do to Business Associates
The new HIPAA rule made Business Associates directly liable for compliance with the HIPAA Security Rule. Here is a quote from the Executive Summary of the HIPAA Omnibus rule:
Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
In addition, the HIPAA Omnibus Rule made subcontractors of Business Associates directly liable for complying with the HIPAA regulations as well. In the past Business Associates of Covered Entities had to have Business Associate Agreements (BAAs) with the Covered Entities. The same is still true but now subcontractors of Business Associates (Business Associates of Business Associates) have to have BAAs as well.
One thing to keep in mind is that an organization can become a Business Associate (to a Covered Entity or to another Business Associate) if they meet the definition of a Business Associate regardless of whether they have a BAA in place or not. Stated another way, an organization can become a Business Associate whether they know it or not, whether they want to or not or whether they have a BAA in place or not. So if an organization is performing services to a CE or BA that requires disclosing PHI there is a good chance the organization is now a Business Associate.
What does a Business Associate need to do under the HIPAA Omnibus Rule?
As we previously stated, the HIPAA Omnibus rule greatly expanded the net of organizations that need to comply with HIPAA regulations. Business Associates are now directly liable for compliance with HIPAA and the HIPAA Security Rule. Here are some high level items that Business Associates need to do to comply:
- Assign the responsibility of a HIPAA Security Officer to an individual. This person will be responsible for ensuring the organization is complying with the HIPAA Security Rule
- Perform a HIPAA Risk Assessment to determine risks to PHI and to identify additional security measures that should be implemented to better protect PHI. (Download our free guide to better understand the HIPAA Risk Assessment process)
- Ensure that all employees receive HIPAA security training on how to protect PHI
- Implement policies and procedures that address the administrative, technical and physical safeguards of the HIPAA Security Rule
- Ensure that Business Associate Agreements are in place with all downstream subcontractors (BAs to BAs). HHS has published a sample BAA that organizations can use as a starting point.
- Notify upstream Covered Entities or Business Associates of any security breaches
Penalties for Business Associates
Now that Business Associates are directly liable for compliance with the HIPAA Security Rule, they could also receive fines from OCR. Depending on who is responsible for a security breach both the CE and BA might be fined if both are found responsible. Fines for BAs are the same as CEs with fines starting at $100 per record all the way up to a maximum of $1,500,000.
Important dates for Business Associate Agreements
The dates for compliance with BAAs are a little confusing. There are a lot of details and conditions. The following is a good rule of thumb.
- Business Associates need to have HIPAA compliant BAAs with subcontractors in place by September 23, 2013
- Covered Entities need to modify existing BAAs by September 24, 2014. If an existing BAA is modified after September 22, 2013 then it will need to ensure that it is compliant with the new Omnibus rules
The HIPAA Omnibus Rule greatly expands which organizations are responsible for complying with HIPAA. Many of these organizations have not put in place the required security measures to ensure compliance. We have developed our HIPAA Business Associate Program to address the needs of Business Associates. Take our 4 question quiz to help determine if your organization is now a Business Associate. If you determine that your organization is a Business Associate, we can help with our quick, easy and inexpensive path to HIPAA compliance!