Home » News » Currently Reading:

Last Minute Preparation Tips for the HIPAA Omnibus Deadline

September 17, 2014 News No Comments

“You may delay, but time will not.”
― Benjamin Franklin

This famous quote reminds us that another HIPAA Omnibus deadline is fast approaching. Covered entities (CEs) and Business Associates (BAs) that did not update their Business Associate Agreements (BAAs) in 2013 must do so by Monday, September 22, 2014. There’s no more wiggle room for delay. The final deadline is here.

What You’ll Need
Practices, clinics, and other CEs are responsible for auditing all their BAs and subcontractors, and for ensuring receipt of an updated BAA. The modified BAAs must state, in writing, that the BA has achieved the following:

  • Full compliance with the HIPAA Security Rule.
  • Execution of BAAs with any of their subcontractors that create, receive, maintain, or transmit protected health information on behalf of the BA.
  • Reporting of all security incidents, including breaches of unsecured health information.
  • Full compliance with the Privacy Rule requirements applicable to covered entities if and to the extent the BA is to carry out a CE’s obligations under the Privacy Rule.

A more detailed checklist for BAA compliance is here.

Know the Gotchas
While many BAs and subcontractors will confess to HIPAA compliance, they must put it in writing by September 22. This may include such business partners as cloud storage companies, EHR vendors, PM software firms, coding and billing services, and release of information processors. Even copy services and testing modalities must update their BAAs and their subcontractor BAAs — if they haven’t already done so.

CEs should verify that they’ve identified each BAA and subcontractor by conducting a thorough self-audit of their practices — logging every device that captures, stores or submits PHI. Even C-arms can store and submit data. Create an inventory of all systems and equipment to identify gaps in BAA documentation.

Four Basic Steps
Beyond updated BAAs, there are four basic ways practices and clinics can protect the privacy and security of their patients:

  • Establish a solid privacy and security program for PHI.
  • Document your program within strong HIPAA policies and procedures that are reviewed and updated at least annually.
  • Ensure staff receives initial and ongoing education regarding HIPAA and your overall privacy and security program with documentation of their attendance and any disciplinary actions.
  • Define steps to react quickly if a breach occurs — including investigation of the event, mitigation of potential harm, and notification of patients.

The HIPAA Omnibus rule changed your BAA requirements. Under the rule, all BAs and subcontractors are now also liable for breach penalties and fines. You’re no longer alone – but you’re also responsible.


Alisha R. Smith, RHIA is the Health Information Management Compliance Educator for HealthPort Corp. of Alpharetta, Georgia. 


Mr. H, Lorre, Jennifer, Dr. Jayne, Dr. Gregg, Lt. Dan, Dr. Travis

More news: HIStalk, HIStalk Connect.

Get HIStalk Practice  updates.
Contact us online.


Leave a comment

Founding Sponsor


Platinum Sponsors







Gold Sponsors


Subscribe to Updates

Search All HIStalk Sites


Recent Comments

  • Dr. Dalal: I have used Soapware for 17 years. Soapware has shut down. I took many interviews and decided to use Elation. I am ex...
  • Chip Hart: There are a lot of fascinating take-aways from the time motion study, but they almost buried the lede: "Our findings ...
  • Tana Lucas: Good points for any medical practice to consider, not to replace face to face quality care of course. It seems these add...
  • : After talking with multiple providers one of the larger trends I noticed is that a lot of practices that were "using" PF...
  • Numbers skeptic: So at the time of their sale, Practice Fusion is claiming "30,000 ambulatory practices".... Historically they have tr...

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.