The common perception, within the HIPAA Community, is that all changes and milestones brought on by the Omnibus Rule have gone into effect. Unfortunately, that’s not quite the case. There is still one last milestone remaining in the 12 month rollout plan announced by the Office of Civil Rights (OCR) .
First, if you are not yet familiar with what Omnibus is, here’s a brief summary-
The HIPAA Omnibus ruling does not change any technical requirement of the HIPAA and HITECH revisions. It does make changes to HIPAA agreements and further defines the roles of entities who would be classified as a Business Associate (BA). What most have focused on is that the Omnibus ruling enhances current Business Associates Agreement (BAA) documentation by clearing up some of the language around accountability. It further defines each party’s responsibilities and obligations in a business engagement and introduces a number of legal requirements in case of a breach, such as the number of days an event must be reported by.
Here is an outline of the different Omnibus phases that apply to all HIPAA Compliant Hosting agreements:
Phase 1- Omnibus Applies to New HIPAA Hosting Agreements Signed After March 23, 2013
The first part of the ruling stated that anyone entering into a business relationship that involves providing services to a Covered Entity, or Business Associate of a Covered Entity, must have a BAA in place. Also, that BAA must contain certain language as dictated by the Final Rule (PDF). So, in the case of a hosting provider like Connectria, any new customers must have an updated BAA with the latest Omnibus required content in place prior to moving forward. The deadline for phase 1 was March 23, 2013.
Phase 2- HIPAA BAAs for Existing Customers Signed Before March 23, 2013 Now Mandatory
Phase 2 of the Omnibus ruling placed a deadline on any current HIPAA engagements that were signed before March 23, 2013 and did not have a BAA in place. Per the Final Rule, any existing customers that did not have a BAA in place, must now have a BAA that contains the Omnibus required content. This was the most difficult deadline for many organizations in the HIPAA Community. This was challenging because it now required that both sides of the relationship analyze the services and risk and then take any corrective actions prior to signing the BAA. The deadline for Phase 2 was September 23, 2013.
Phase 3- Omnibus Now Applies to All HIPAA BAAs, No Matter When They Were Signed
The last phase in the process states that all BAAs must be updated with the new Omnibus language. Essentially, this means that if you have a BAA with a covered entity (CE) or a business associate (BA) and that agreement does not contain the required content as directed by the Final Rule, then you must modify your existing BAAs with this content no later than September 23, 2014.