Recently, the US Congress passed a law called the Omnibus Rule that has far reaching implications that many are not aware of. Connectria is in the process of contacting our customers to ensure they are Omnibus compliant, but it is important to understand your role in regards to the HIPAA Standards and how this ruling will affect your compliance.
Basically, by law, all Covered Entities, Business Associates or Subcontractor BA’s are now required to have a signed Business Associates Agreement (BAA) with any vendor or service provider that will be hosting or storing their PHI data. In other words, a BAA is no longer optional and is required to be in effect no later than September 23, 2013. In addition, the Omnibus Rule also specifies certain requirements for language to be contained in the BAA. A properly structured BAA is signed between a “Covered Entity” and a “Business Associate” (diagram).
It is important to check with your own counsel to determine where you stand based on your access, use, disclosure and storage of PHI. Although HIPAA Compliance typically involves a higher cost, it is a much cheaper alternative to hefty federal government penalties in case of a breach.
If you have any questions please email me at firstname.lastname@example.org and I’ll be happy to provide you with more information.
Also, keep an eye out for our Omnibus Rule Countdown clock (coming soon).
Here is an overview of what organizations are considered to be Covered Entities and Business Associates.
A Covered Entity is one of the following:
A Health Care Provider
This includes providers such as:
· Nursing Homes
…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
A Health Plan
· Health insurance companies
· Company health plans
· Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
A Health Care Clearinghouse
This includes entities that process non-standard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
What Is a “Business Associate?”
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a Business Associate. A covered health care provider, health plan, or health care clearinghouse can be a Business Associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a Business Associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a Business Associate include payment or health care operations’ activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business Associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business Associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
Why Use a “Business Associate?
By law, the HIPAA Privacy Rule applies only to Covered Entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “Business Associates” if the providers or plans obtain satisfactory assurances that the Business Associate will use the information only for the purposes for which it was engaged by the Covered Entity, will safeguard the information from misuse, and will help the Covered Entity comply with some of the Covered Entity’s duties under the Privacy Rule. Covered Entities may disclose protected health information to an entity in its role as a Business Associate only to help the Covered entity carry out its health care functions – not for the Business Associate’s independent use or purposes, except as needed for the proper management and administration of the Business Associate.