The HIPAA Omnibus Rule, which went into effect on March 26, 2013, brought in some pretty significant changes since HIPAA itself. While it had many additions, including strengthening rules on privacy and security, there was one in particular that had a much more far-reaching effect. This was the additional requirement that business associates of healthcare organizations be held to the same HIPAA compliance standard as the covered entities they serve.
What Makes a Business Associate?
A business associate is any organization that offers products or services to a covered entity that receives, stores, and/or processes protected health information (PHI). For example, if an accounting firm assists a hospital with keeping track of billing information. They might receive names, dates of birth, addresses, or other financial related information on the hospital’s patients in order to carry out their service. Whether this information is received physically on paper or electronically on the accounting firm’s internal computer network, this makes them a business associate.
As a business associate, this accounting firm is required to sign a Business Associate Agreement (BAA) with the hospital, which is the covered entity in this relationship. The BAA essentially outlines what the covered entity expects their business associate to uphold, which should ideally include the new rules laid out by the HIPAA Omnibus Rule.
The Effect of the HIPAA Omnibus Rule on Healthcare Organization’s Vendors
What this ultimately leads to is a change in perspective for both the covered entity as well as their business associates. On the business associates’ side, they will have to be much more mindful of how they operate. They are now held to the same compliance standards as the covered entities that they serve. Along with compliance and ensuring patient privacy, they may have to beef up security and their own policies and procedures to ensure they do not become the victim of a breach, internal or external.
On the side of the covered entity, healthcare organizations will need to pay closer attention to the vendors they select. They should never be satisfied with having a BAA in place with a vendor. At minimum, annual security assessments should be administered to ensure the business associates they are working with have the same level of compliance with HIPAA privacy and security standards as themselves. Nothing less should be acceptable.
The result of the HIPAA Omnibus Rule is almost an entirely new relationship between healthcare organizations and business associates that serve them and their patients. Along with that new dynamic is yet another potential service offering we do not see very often, a managed security service that evaluates the security of a covered entity’s business associates. Just as mentioned in a previous blog about managed services, many healthcare organizations already lack the manpower to monitor their own privacy. The same concept spurring them to utilize managed privacy monitoring services may very well begin to push them to subscribe to vendor security management services.