Have your Business Associates met the HIPAA Final Omnibus Rule deadline?
Last week, Covered Entities (CEs) and Business Associates (BAs) arrived at the end of the one-year transition period for ensuring HIPAA-compliant Business Associate Agreements (BAAs) were in place. In a statement released by the U.S. Department of Health and Human Services (HHS) in January last year, it was confirmed that there would be a stronger focus on privacy and security in the HIPAA Final Omnibus Rule, giving healthcare organizations and their partners forewarning to update archaic, insecure practices.
As of September 23, 2013, BAs were directly regulated and made accountable for complying with HIPAA, with a one-year transition period for those with BAAs established prior to January 25 2013. The deadline gave CEs and BAs a target for reviewing or amending existing BAAs, and the chance to replace any agreements that failed to meet HIPAA requirements.
Included within those requirements, CEs and BAs must:
1. Implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule.
2. Make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.
3. Return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity
4. Ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information.
5. Authorize termination of the contract by the covered entity if the business associate, and/or subcontractors, violates a material term of the contract.
Speaking with HealthcareInfoSecurity.com, healthcare compliance attorney Betsy Hodge warned CEs and BAs to carefully scrutinize existing BAAs. It is important for any CE or BA, that has not already done so, to identify all of their BAs or subcontractors so they know who is involved at every stage of data handling.
“If they’re not compliant, then renegotiate those agreements and revise them,” she says. “We’re also advising clients to document their efforts in this process in case they’re not able to get all their agreements revised by the deadline. We advise them to document their efforts, especially if it’s the other party that is causing a delay” in the negotiations, she says.
The definition of ‘Business Associate’ has evolved over time to include vendors who would have previously not qualified as a BA, making it vital for CEs to exercise diligence in establishing their relationship with third-parties.
Have you reviewed your BAA in the last year?
If the answer is no, it is crucial you take the necessary steps to ensure any agreements with CEs, BAs or subcontractors are HIPAA-compliant. Those that fail to meet the regulations are accountable for any PHI breaches. In today’s healthcare industry, software plays an ever-expanding role in the success of healthcare organizations, clear contracts between CEs and BAs will guarantee longterm success.
As a Business Associate, at sfax we strive to make the process of creating, and maintaining, BAAs as simple as possible. From our easy-to-use BAA Builder to friendly support team, we make sure that our HIPAA-compliant system won’t let you down.