HIPAA OMNIBUS RULE
T e ABCs for working with BAs: A 2013 update
By Rita Bowen and Jan McDavid In mid-January, the Dept. of Health and Human Services
(HHS) released its long-awaited HIPAA omnibus rule, which signifi cantly amends the original HIPAA privacy, security and breach rules. Nowhere are the changes more impactful than in the relationship between covered entities (CEs) and business associates (BAs). BAs are now, for the fi rst time, directly liable for compliance
with certain requirements of the HIPAA rules, including the cost of remediation of breaches for which they are responsible. T e new rule went into eff ect March 26, 2013. Covered entities and BAs are expected to comply by September 23 of this year, so there is much work to do. T e following tip sheet includes a general overview of the
new HIPAA rule and provides suggestions on how to best communicate the changes to BAs to ensure a smooth path to compliance.
What’s new for BAs in the new HIPAA rule? • Security rule safeguards apply. • Privacy rule use and disclosure rules apply. • T ey can use protected health information only as stated in the business associate agreement.
• Penalties can now be assessed on BAs. • BAs are now responsible for having business associate agree- ments (BAAs) with their subcontractors, who will now be treated as BAs.
CEs must have BAAs with their BAs, and BAs must have BAAs with their subcontractors. Key components must include: • Start date, expiration date, review dates and signatures. • Terms and conditions of how to use or disclose private health information (PHI), data rights, security, etc.
Rita Bowen, SVP of HIM and privacy officer, HealthPort
Jan McDavid, compliance officer and general
• New language surrounding breach notifi cation and the securing of data.
• New disclosure-related requirements concerning EHRs. • Policies and procedures for retention and destruction of data and the recording and reporting of breaches.
What’s the process for updating the BAA? • Arrange by expiration date to evaluate risk and/or priority. • Evaluate current liability and indemnifi cation details regarding breach incidents.
• Evaluate to include the new required elements. • Determine if the BA is classifi ed as an “agent.” If so, include stringent requirements for security reviews and documentation of compliance.
Quick start guide • Download the 563-page rule (www.federalregister.gov/ public-inspection) and become acquainted with it – in intimate detail.
• Review the new requirements, and adjust your policies and notice-of-policy practices accordingly.
• Ensure that policies have been applied. • Complete a thorough assessment of risk. • Implement and train. • Evaluate your BAAs and prioritize by risk and need for updates.
• Ensure your BAs can meet the capabilities of the new regulatory requirements.
• Ensure that BAAs provide adequate coverage of incident and breach handling. Overall, devise a detailed plan for moving forward. Follow
your plan, stay focused and document your steps. Willful neglect will cost you, so don’t be in denial!
Risk-assessment tool helps BAs address HIPAA compliance
Are you a healthcare business associate (BA) or subcon- tractor wondering about your compliance status regard- ing the new HIPAA Final Rule changes? Kroll Advisory Solutions has a program that can help. The “Business Associate HIPAA Self-Risk Assess- ment (BA HSRA)” is Kroll’s self-guided tool based on HIPAA provisions, security best practices and guidance from the National Institute of Standards and Technol- ogy (NIST). Developed in collaboration with Grant Peterson, J.D., chief compliance officer and founder
of HIPAA Analytics, the Kroll tool produces valuable performance measurements, remediation insight and forms for attestation of HIPAA compliance status. Users can identify vulnerabilities within their admin- istrative, physical and technical security safeguards and pinpoint privacy aspects where improvement is needed. The assessment is delivered via Kroll’s secure client portal. A competitively priced program allows for one year of unlimited access. Learn more at www.krolladvisory.com.
HEALTH MANAGEMENT TECHNOLOGY May 2013 5