“You may delay, but time will not.”
― Benjamin Franklin
This famous quote reminds us that another HIPAA Omnibus deadline is fast approaching. Covered entities (CEs) and Business Associates (BAs) that did not update their Business Associate Agreements (BAAs) in 2013 must do so by Monday, September 22, 2014. There’s no more wiggle room for delay. The final deadline is here.
What You’ll Need
Practices, clinics, and other CEs are responsible for auditing all their BAs and subcontractors, and for ensuring receipt of an updated BAA. The modified BAAs must state, in writing, that the BA has achieved the following:
- Full compliance with the HIPAA Security Rule.
- Execution of BAAs with any of their subcontractors that create, receive, maintain, or transmit protected health information on behalf of the BA.
- Reporting of all security incidents, including breaches of unsecured health information.
- Full compliance with the Privacy Rule requirements applicable to covered entities if and to the extent the BA is to carry out a CE’s obligations under the Privacy Rule.
A more detailed checklist for BAA compliance is here.
Know the Gotchas
While many BAs and subcontractors will confess to HIPAA compliance, they must put it in writing by September 22. This may include such business partners as cloud storage companies, EHR vendors, PM software firms, coding and billing services, and release of information processors. Even copy services and testing modalities must update their BAAs and their subcontractor BAAs — if they haven’t already done so.
CEs should verify that they’ve identified each BAA and subcontractor by conducting a thorough self-audit of their practices — logging every device that captures, stores or submits PHI. Even C-arms can store and submit data. Create an inventory of all systems and equipment to identify gaps in BAA documentation.
Four Basic Steps
Beyond updated BAAs, there are four basic ways practices and clinics can protect the privacy and security of their patients:
- Establish a solid privacy and security program for PHI.
- Document your program within strong HIPAA policies and procedures that are reviewed and updated at least annually.
- Ensure staff receives initial and ongoing education regarding HIPAA and your overall privacy and security program with documentation of their attendance and any disciplinary actions.
- Define steps to react quickly if a breach occurs — including investigation of the event, mitigation of potential harm, and notification of patients.
The HIPAA Omnibus rule changed your BAA requirements. Under the rule, all BAs and subcontractors are now also liable for breach penalties and fines. You’re no longer alone – but you’re also responsible.
Alisha R. Smith, RHIA is the Health Information Management Compliance Educator for HealthPort Corp. of Alpharetta, Georgia.