HIPAA Omnibus Deadline Has Passed - Are You Compliant?
Recently, the US Congress passed a law called the Omnibus Rule that has far reaching implications that many are not aware of. It is important to understand your role in regards to the HIPAA Standards and how this ruling will affect your compliance. This ruling went into effect on September 23rd, 2013. You may be at a significant risk for a fine if you don’t ensure your compliance.
Learn why Omnibus is important to you and how Connectria can help.
The new law states that all Covered Entities, Business Associates or Subcontractor BA’s are now required to have a signed Business Associates Agreement (BAA) with any vendor or service provider that will be hosting or storing their protected health information (PHI) data. In other words, a BAA is no longer optional and is required to be in effect by September 23rd, 2013. In addition, the Omnibus Rule also specifies certain requirements for language to be contained in the BAA outlining each party’s liabilities in handling this sensitive data. A properly structured BAA is signed between a “Covered Entity” and a “Business Associate”.
Sample BAA Structure - Diagram
It is important to check with your own counsel to determine where you stand based on your access, use, disclosure and storage of PHI. Although HIPAA Compliance typically involves a higher cost, it is a much cheaper alternative to hefty federal government penalties in case of a breach.
Here is an overview of what organizations are considered to be Covered Entities and Business Associates.
A Covered Entity is one of the following:
- A Health Care Provider
This includes providers such as:
- Nursing Homes
- Pharmacies …but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
- A Health Plan
- Health insurance companies
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs
- A Health Care Clearinghouse
This includes entities that process non-standard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Definition of a Business Associate:
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a Business Associate. A covered health care provider, health plan, or health care clearinghouse can be a Business Associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a Business Associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a Business Associate include payment or health care operations’ activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business Associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business Associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
Why Use a “Business Associate?
By law, the HIPAA Privacy Rule applies only to Covered Entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “Business Associates” if the providers or plans obtain satisfactory assurances that the Business Associate will use the information only for the purposes for which it was engaged by the Covered Entity, will safeguard the information from misuse, and will help the Covered Entity comply with some of the Covered Entity’s duties under the Privacy Rule. Covered Entities may disclose protected health information to an entity in its role as a Business Associate only to help the Covered entity carry out its health care functions – not for the Business Associate’s independent use or purposes, except as needed for the proper management and administration of the Business Associate.
We have been working with many of our HIPAA customers over the last several months to ensure they are complaint with the new regulations and would be glad to help you as well. Please fill out the form below and we will be in touch within 24 hours.
Our Solutions Architects are available 7 days a week to assist you. Our only priority is to find a hosting solution that best meets your needs.
Please fill out the form below and we will try to get you a detailed quote within 24 hours. If you need it faster, just let us know and we will do our best to meet your needs!