Home » News » Currently Reading:

Last Minute Preparation Tips for the HIPAA Omnibus Deadline

September 17, 2014 News No Comments

“You may delay, but time will not.”
― Benjamin Franklin

This famous quote reminds us that another HIPAA Omnibus deadline is fast approaching. Covered entities (CEs) and Business Associates (BAs) that did not update their Business Associate Agreements (BAAs) in 2013 must do so by Monday, September 22, 2014. There’s no more wiggle room for delay. The final deadline is here.

What You’ll Need
Practices, clinics, and other CEs are responsible for auditing all their BAs and subcontractors, and for ensuring receipt of an updated BAA. The modified BAAs must state, in writing, that the BA has achieved the following:

  • Full compliance with the HIPAA Security Rule.
  • Execution of BAAs with any of their subcontractors that create, receive, maintain, or transmit protected health information on behalf of the BA.
  • Reporting of all security incidents, including breaches of unsecured health information.
  • Full compliance with the Privacy Rule requirements applicable to covered entities if and to the extent the BA is to carry out a CE’s obligations under the Privacy Rule.

A more detailed checklist for BAA compliance is here.

Know the Gotchas
While many BAs and subcontractors will confess to HIPAA compliance, they must put it in writing by September 22. This may include such business partners as cloud storage companies, EHR vendors, PM software firms, coding and billing services, and release of information processors. Even copy services and testing modalities must update their BAAs and their subcontractor BAAs — if they haven’t already done so.

CEs should verify that they’ve identified each BAA and subcontractor by conducting a thorough self-audit of their practices — logging every device that captures, stores or submits PHI. Even C-arms can store and submit data. Create an inventory of all systems and equipment to identify gaps in BAA documentation.

Four Basic Steps
Beyond updated BAAs, there are four basic ways practices and clinics can protect the privacy and security of their patients:

  • Establish a solid privacy and security program for PHI.
  • Document your program within strong HIPAA policies and procedures that are reviewed and updated at least annually.
  • Ensure staff receives initial and ongoing education regarding HIPAA and your overall privacy and security program with documentation of their attendance and any disciplinary actions.
  • Define steps to react quickly if a breach occurs — including investigation of the event, mitigation of potential harm, and notification of patients.

The HIPAA Omnibus rule changed your BAA requirements. Under the rule, all BAs and subcontractors are now also liable for breach penalties and fines. You’re no longer alone – but you’re also responsible.

image

Alisha R. Smith, RHIA is the Health Information Management Compliance Educator for HealthPort Corp. of Alpharetta, Georgia. 


Contacts

Mr. H, Lorre, Jennifer, Dr. Jayne, Dr. Gregg, Lt. Dan, Dr. Travis

More news: HIStalk, HIStalk Connect.

Get HIStalk Practice  updates.
Contact us online.

JennHIStalk

Leave a comment


Founding Sponsor


  

Platinum Sponsors


  

  

  

  

  

  

  

  

Gold Sponsors


  

Subscribe to Updates




Search All HIStalk Sites


Loading

Recent Comments

  • Mike Burke: Re: Wait times: Certainly wait times are decreasing due to options like urgent care and to a lesser extent, telemedicin...
  • Scott Olson: I'm with you in terms of selecting a different career path to avoid math. Only to find out a few years later marketing t...
  • Angela Hickman: Excellent article Randy!...
  • Chip Hart: Bravo! I just got off the phone with a different practice and I used KPP as an example of how to do things right - now ...
  • Robert D Lafsky M.D.: I commend NY MD for the above comment. Despite the stress imposed by obvious flaws of workflow design he took the time ...

Tweets

Follow