Sept 23, 2013 is fast approaching. That’s the date by which your business associates and their sub-contractors have to be in compliance with the HIPAA final “Omnibus” Rule. The final rule released earlier this year, not only expands the definition of a “business associate”( BA) under HIPAA, but also holds BAs and their subcontractors responsible for being in compliance with HIPAA and subject to any criminal and civil liability for violating certain provisions of HIPAA.
The expanded definition of a BA now includes:
- Persons who "create, receive, maintain or transmit" ePHI.
- Persons who "maintain" ePHI on behalf of a covered entity, even if the person does not actually view the ePHI. For example, most document storage companies and cloud computing providers that maintain ePHI on behalf of a covered entity are business associates.
- Subcontractors - persons who perform functions for or provide services to a business associate are also business associates if they access or store ePHI.
Under this new rule the number of BA that your healthcare practice deals with might have changed. Here’s what you need to do:
- Make a list of all third party vendors that you work with, that fall under the revised definition of a BA. This list should encompass IT vendors like data storage companies, IT service providers that maintain your systems, cloud service vendors, billing companies, transcriptionists, etc.
- Interview them and question them regarding their HIPAA compliance efforts. Ask them about their security measures and adoption of best practices to protect the ePHI.
- Ask them if they ever conducted a business technology risk assessment. Any vendor who claims to be HIPAA compliant will be proud to tell you about their security measures and should be able to address all your concerns effectively.
- Negotiate and execute an effective BAA that spells out the BA’s legal responsibilities and liabilities in the event of a data breach.
A signed BAA ensures that the BA understands their legal responsibilities to protect the ePHI and have implemented reasonable and appropriate measures to ensure the security and privacy of ePHI and comply with the HIPAA Security Rule.
As a covered entity, ultimately it is your responsibility to protect the ePHI of your patients. Your reputation and financial well-being depend on it. Having a clearly written and executed BAA in place, can serve to mitigate the financial damage to your practice in the event of a third party data breach.