In a previous blog we discussed the new HIPAA Omnibus regulations as they related to Business Associates (BA). Let’s take a look at the HIPAA Omnibus regulations for Business Associates as they relate to Covered Entities (CE).
Business Associates Agreements
CEs have been required to have Business Associate Agreements (BAAs) with BAs for quite a while. The HIPAA Omnibus Rule does not change this requirement. BAAs need to be modified to state that BAs are now directly responsible for compliance with certain HIPAA regulations, namely the HIPAA Security Rule.
Business Associates will now need to have BAAs with their subcontractors (Business Associates of Business Associates) that require the disclosure of protected health information (PHI). Covered Entities will not need to have BAAs with subcontractors of their BAs. In other words, a CE needs a BAA with their direct BAs. BAs need BAAs with their direct BAs. This can be viewed as a chain of responsibility.
A sample BAA is available on the HHS website.
In the sample BAA the following section gives the BA the responsibility for complying with the HIPAA Security Rule. The following language should be added to existing BAAs
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
The following language should be added to existing BAAs that address the new requirements of subcontractors of BAs (BAs of BAs)
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;
Important dates for Business Associate Agreements
The dates for compliance with BAAs are a little confusing. There are a lot of details and conditions. The following is a good rule of thumb.
- Covered Entities need to modify existing BAAs by September 24, 2014. If an existing BAA is modified (renewed, altered, etc.) after September 22, 2013 then it will need to ensure that it is compliant with the new Omnibus rules
Tracking Business Associates
Business Associates account for many HIPAA security breaches. Having BAAs with BAs is not enough to ensure that they are properly protecting patient information. Covered Entities should ask for proof of compliance by their BAs and their subcontractors. Now that the HIPAA Omnibus Rule has made BAs directly liable for complying with the HIPAA Security Rule, CEs should ask BAs to show that the BA has done the following:
- Conducted a thorough HIPAA Risk Assessment. (Download our free guide to better understand the HIPAA Risk Assessment process)
- Implemented HIPAA policies and procedures that address the administrative, physical and technical safeguards
- Trained their employees on HIPAA security
- Implemented a security incident response plan or breach notification plan
- Assigned an individual with the responsibility of HIPAA Security Officer
There are good reasons that the HIPAA Omnibus Rule has put additional responsibilities on Business Associates. Many HIPAA breaches have been caused by BAs. In addition, many BAs have no idea about the requirements of the HIPAA regulations. They may be an information technology (IT) company or legal firm that only has a handful of healthcare clients and does not understand HIPAA security. This needs to change and the HIPAA Omnibus Rule aims to enforce these changes.
We have developed our HIPAA Business Associate Program to address the needs of Business Associates. Have your subcontractors take our 4 question quiz to help determine if their organization is now a Business Associate. If they determine that their organization is a Business Associate, we can help with our quick, easy and inexpensive path to HIPAA compliance! Feel free to pass this information along to them.