The new HIPAA/HITECH “Omnibus Rule” went into effect on March 26, 2013, and organizations have 180 days to come into compliance — which is not a lot of time. This new regulation modifies HIPAA in line with changes mandated by the HITECH Act of 2009.
One of the key changes in the new rule, which will have a broad impact across the healthcare industry and far beyond, is a significantly broader definition of what constitutes a “Business Associate” for compliance purposes. In the past an organization was not a Business Associate (and therefore not required to be HIPAA compliant) unless it signed a Business Associate Agreement. Omnibus makes virtually any entity handling Patient Health Information a Business Associate – even if they have not signed a Business Associate Agreement. Healthcare and health plan providers now have more Business Associates to worry about than previously, and many service providers that weren’t worried about HIPAA, now need to be.
The sweeping intent of these changes is to ensure that HIPAA protections extend “no matter how far ‘down the chain’ the information flows.” They make many more third parties subject to applicable HIPAA rules, notably the HIPAA Security Rule and parts of the Privacy Rule.
To summarize the changes:
* A Business Associate is basically any person/organization that creates, receives, maintains or transmits protected health information (PHI).
* This includes more “obvious” services such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities (per 42 CFR 3.20), billing, benefit management, practice management, etc.
* It also includes less “obvious” services such as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
* Entities providing data transmission services for PHI, and/or require access “on a routine basis” to PHI are implicitly defined as Business Associates – even if they have not signed a Business Associate Agreement.
* A subcontractor that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also defined as a Business Associate — the impact of this change is huge.
* The so-called “conduit exception” is now limited to organizations that only transmit PHI (e.g., an Internet Service Provider). Third parties that “maintain and store” PHI (e.g., a cloud storage provider) are now considered Business Associates.
HHS acknowledges in its commentary on the new rule that small businesses might be onerously burdened with HIPAA compliance as they don’t yet have the “formal administrative safeguards” like a risk management program, written policies, documented compliance, etc. Nevertheless, HSS will enforce HIPAA vigorously; and now, state attorneys general can also enforce HIPAA.
Moreover, the penalties for noncompliance are much higher than previously (the maximum penalty for non-compliance has been increased to $1.5M). Check out the new rules now and make a plan for dealing with them if they apply to you. If you’re unsure how to proceed, turn to Pivot Point, we can talk you through your options.