One of the major changes for every business involved with the new HIPAA Omnibus Rule is that you are required to
“Review and, if Necessary, Amend Business Associate Agreements”
Whether your organization is defined as a Hospital, a Physician Practice, a Group Health Plan, a Managed Care organization, a Pharmacy, a Dental Office, or any kind of “Covered Entity” (CE), you have to change your business agreements with all the people who access, create, manage, store, or view your Protected Health Information (PHI).
The new HIPAA Omnibus Rule (45 CFR § 164.314(a) and .504(e)) added new elements that require you to adjust the Business Associate agreements to make sure they agree (in writing) to comply with the HIPAA Security Rule, to make sure they perform their own Risk Analysis to assess how they protect PHI.
Covered entities and business associates must ensure that their existing and future agreements contain the elements required by . In addition to previous requirements, the agreement must require the business associate to:
1. Comply with the security rule.
2. Execute business associate agreements with their subcontractors.
3. To the extent the business associate carries out an obligation of a covered entity, comply with any HIPAA
rule applicable to such obligations.
4. Report breaches of unsecured protected health information to the covered entity (organization).
If you’re not sure how to adjust all these agreement, DHHS-OCR has updated sample business associate language for you
to use at : http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
The HIPAA Omnibus Rule has made accountability more important because it says that the Covered Entity (CE) is
are liable for the misconduct of business associates if the business associate is acting as the agent of the covered entity.
In the same way, business associates should review their agreements with their Covered Entities and also their Sub-Contractors to make sure that the language in their contracts is up to date and makes it clear that the subcontractors are acting as independent contractors and not as the agents of the covered entity or business associate, and that the agreements do not give the covered entity too much control over day-to-day operations of you, their business associate.
As of today, August 19, 2013, both the Healthcare Provider (CEs), and the Business Associates have 34 more Days to modify these agreements modified and up to date, making sure they match the new HIPAA Omnibus Rule if :
(1) the agreement they had in place on January 25, 2013, complied with the HIPAA rules as of that date, and
(2) the agreement does not expire or renew (other than through evergreen clauses) prior to September 23, 2014!
So get out those pencils, and those agreements and start reviewing, amending and modifying those agreements!
SPECIAL TIP: Here’s a web site with sample Business Associate language to use as a resource: