HIPAA Omnibus: Business Associate TipsMoving Down the Path of Compliance
Now that the federal government has clarified the definition of a business associate, some companies may be passing through the various stages of denial, anger, blame or, hopefully, acceptance.
Under the HIPAA Omnibus Rule, a business associate is defined as anyone who "receives, creates, maintains or transmits protected health information on behalf of a covered entity." And under the rule, those that meet that definition now are directly responsible for compliance with the HIPAA Security Rule and many provisions of the HIPAA Privacy Rule.
Suffice it to say there is a lot to do and not a lot of time to do it.
And keep this in mind: The HIPAA Omnibus Rule makes it clear that even if you have not received or executed a business associate agreement, if you receive, create, maintain or transmit PHI you are a business associate - and you're accountable.
According to the Department of Health and Human Services, business associates have been involved in more than 20 percent of the major breaches reported to federal authorities since 2009. And some of the largest breaches, in particular, have involved BAs. So when it comes to breach prevention, it's clear that they have plenty of work to do.
HIPAA Omnibus took effect March 26 and enforcement begins Sept. 23. So business associates can't afford to procrastinate.
Where to Begin?
But how should the compliance effort begin? The best place to start is by conducting a risk analysis in accordance with 45 CFR 164.308(a)(1) of the HIPAA Security Rule.
Guidance for completing an appropriate risk analysis can be found on the HHS Office for Civil Rights website. Conducting your risk analysis and, more important, addressing its outcomes will likely take considerable time. OCR will expect business associates to have completed their risk analysis before September. So don't delay.
The next order of business following the risk analysis will be to address identified gaps in policies, procedures, practices and controls. It will also be important, if you haven't already, to start educating and training the workforce on their responsibilities.
Nothing assures success in security more than a well-defined program and an educated workforce.
Another important task business associates will want to get a handle on quickly is identifying any subcontractors that have access to PHI. That's because under the HIPAA Omnibus Rule, these subcontractors also must be HIPAA compliant. Each subcontractor will need to execute a business associate agreement with the vendor that they serve.
Fortunately, there are several good sources for business associate agreement templates, including OCR's website and the North Carolina Healthcare Information and Communications Alliance site. Or you can simply modify the one you receive from your covered entity, making sure to include any pertinent requirements you might need to past along to the subcontractor - such as reporting timelines in the event of breach.
Speaking of which, business associates will also want to ensure that they, as well as their subcontractors, can respond to breach notification requirements.
Under the HIPAA Omnibus Rule, business associates have to notify the appropriate covered entity in case of a breach. The rule provides business associates 60 days to report, but most covered entities, who shoulder the majority of the burden for notifications, usually want notifications from their business associates within a few days of becoming aware of a breach.
Under the new rule, a breach occurs the minute there is an impermissible disclosure or loss of control of electronic protected health information. Organizations have to consider the circumstances of the incident, the information involved, who received the information or may have received it, what was done with the information and whether there were any mitigating factors that could reduce the risk of compromise.
Of course, this risk analysis is not required if the organization concludes without it that notification is obviously necessary. But if the organization believes the risk of compromise is unknown or low, they must conduct the analysis and document its outcomes as part of their decision on whether to notify. The covered entity whose information is involved will want to be a part of this process.
Business associates may also be a part of a covered entity's extended enterprise for accounting for disclosures purposes. You'll need to be ready to support these requests as well.
The HIPAA Omnibus Rule establishes the requirement for business associates to support requests for accounting for disclosure. The proposed Accounting for Disclosure Rule, expected out later this year, establishes the requirement for CEs to provide an accounting for who has accessed those systems that are a part of a "designated record set." If a business associate hosts or has access to these systems, they will need to be prepared to support such requests.
Suffice it to say there is a lot to do and not a lot of time to do it. Established business associates will be expected to be compliant by September. Newly minted business associates will be expected to get there quickly. Moving out smartly should be the first order of the day.
Mac McMillan is co-founder and CEO of CynergisTek Inc., an Austin, Texas-based firm specializing in information security and regulatory compliance.