HIPAA Omnibus: The Liability ChainExpert Explains Compliance Flow
Under HIPAA Omnibus, covered entities, business associates and subcontractors can be held responsible for the compliance conduct of their "downstream" partners under certain circumstances, says Wu, a partner at Cooke Kubrick and Wu LLP.
For example, a hospital could be responsible for the conduct of a downstream business associate if the vendor qualifies as an "agent" of the hospital, Wu says in an interview with HealthcareInfoSecurity. The term "agent" refers to vendors that have received certain instructions from the covered entity, like a hospital, about how to perform various functions.
As a result, if there is a breach in which an "agent" - such as a business associate - is at fault, the hospital could face civil penalties, he says.
Vendors providing services to healthcare organizations need to take the initiative to carefully determine if they qualify as a business associate under the expanded definition in HIPAA Omnibus, Wu stresses. "If you don't know you're a business associate ... you might not be taking all the steps you need to comply," he says. HIPAA Omnibus makes it clear that business associates and their subcontractors must comply with most HIPAA provisions.
In the interview, Wu also discusses:
- The range of companies that fall under the new definition of "business associate," including health information organizations and e-prescribing gateways;
- The compliance responsibilities that business associates and subcontractors have under HIPAA Omnibus;
- Modifications that covered entities and business associates should make in their agreements to spell out HIPAA compliance responsibilities.
Wu is former chair of the American Bar Association Section of Science & Technology Law and co-chair of its Information Security Committee. He has written or co-authored five books on data security law, including "A Guide to HIPAA Security and the Law," and is writing a book on handling mobile devices in the enterprise.