Business Associates and HIPAA OmnibusClarifying the New Responsibilities
The HIPAA Omnibus Rule clarifies that business associates who receive, create, transmit or maintain protected health information must be HIPAA compliant, McMillan notes.
"If you know you're a business associate ... you should conduct a risk assessment right now," McMillan says during an interview with HealthcareInfoSecurity at the 2013 HIMSS Conference in New Orleans. The risk assessment needs to identify gaps in programs to protect patient data.
Under the HIPAA Omnibus Rule, business associates can now be directly investigated by the Department of Health and Human Services for breaches. Although business associates must notify covered entities of breaches, "the covered entity is responsible for notifying victims," McMillan explains.
In the interview, McMillan also discusses:
- Responsibilities of business associates under HIPAA Omnibus;
- What business associates need to know about managing subcontractors;
- Tips for covered entities in managing business associates under HIPAA Omnibus.
McMillan is co-founder and CEO of CynergisTek Inc. an Austin, Texas-based firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of the Healthcare Information and Management Systems Society's privacy and security task force.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.