Although enforcement of the HIPAA Omnibus Rule began nearly a year ago, there's still one more important deadline quickly approaching for covered entities and business associates, says healthcare compliance attorney Betsy Hodge.
Sept. 22 is the deadline to revise business associate agreements that were already in place when the HIPAA Omnibus Rule was published in the Federal Register on Jan. 25, 2013.
"When HIPAA Omnibus went into effect [last year], there was a grandfather provision in the rule for existing business associate agreements," notes Hodge, who's based in the Tampa, Fla., office of the national law firm Akerman, LLP.
In preparing to meet that Sept. 22 deadline at this late stage, Hodge says it's vital for covered entities, business associates and subcontractors to review existing business associate agreements to ensure they're compliant with all HIPAA Omnibus requirements.
Under HIPAA Omnibus, business associates and their subcontractors are now directly liable for HIPAA compliance, so the business associate agreements need to reflect that, as well as other new omnibus provisions.
"If they're not compliant, then renegotiate those agreements and revise them," she says. "We're also advising clients to document their efforts in this process in case they're not able to get all their agreements revised by the deadline. We advise them to document their efforts, especially if it's the other party that is causing a delay" in the negotiations, she says.
Under the HIPAA Omnibus breach notification rule, security incidents are presumed to be reportable data breaches unless organizations demonstrate through a four-factor assessment that risks are low. But Hodge says some covered entities and business associates have been taking "a more open view of disclosing breaches" by skipping the analysis.
"Some clients have said, 'Our policy is we won't even do the analysis, we will just declare it a breach. We automatically presume that it's a breach, and then we'll provide the needed notification,'" she says.
In the interview, Hodge also discusses:
- Common mistakes that organizations make in their business associate agreements, and how to correct them;
- Other HIPAA Omnibus and HIPAA Security Rule provisions still causing organizations the most compliance difficulty;
- Why she predicts there likely will be more health data breaches and OCR enforcement activities involving hacker incidents;
- What's surprised Hodge the most since the HIPAA Omnibus Rule went into effect.
At Akerman, Hodge represents a variety of healthcare providers in compliance and transactional matters. That work includes providing guidance to physicians and hospitals regarding compliance with applicable federal and state statutes and regulations, including the HIPAA privacy, security and breach notification provisions. Hodge is also the former president of the Florida Academy of Healthcare Attorneys and is a member of the Florida Hospital Association's HIPAA Preemption Analysis Task Force.