Information Security Blog

Omnibus: HIPAA Now Applies to Many More Companies — Is Yours One of Them?

Omnibus: HIPAA Now Applies to Many More Companies — Is Yours One of Them?

The new HIPAA/HITECH “Omnibus Rule” went into effect on March 26, 2013, and organizations have 180 days to come into compliance — which is not a lot of time. This new regulation modifies HIPAA in line with changes mandated by the HITECH Act of 2009.

One of the key changes in the new rule, which will have a broad impact across the healthcare industry and far beyond, is a significantly broader definition of what constitutes a “Business Associate” for compliance purposes. In the past an organization was not a Business Associate (and therefore not required to be HIPAA compliant) unless it signed a Business Associate Agreement. Omnibus makes virtually any entity handling Patient Health Information a Business Associate – even if they have not signed a Business Associate Agreement. Healthcare and health plan providers now have more Business Associates to worry about than previously, and many service providers that weren’t worried about HIPAA, now need to be.

The sweeping intent of these changes is to ensure that HIPAA protections extend “no matter how far ‘down the chain’ the information flows.” They make many more third parties subject to applicable HIPAA rules, notably the HIPAA Security Rule and parts of the Privacy Rule.

To summarize the changes:

* A Business Associate is basically any person/organization that creates, receives, maintains or transmits protected health information (PHI).

* This includes more “obvious” services such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities (per 42 CFR 3.20), billing, benefit management, practice management, etc.

* It also includes less “obvious” services such as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

* Entities providing data transmission services for PHI, and/or require access “on a routine basis” to PHI are implicitly defined as Business Associates – even if they have not signed a Business Associate Agreement.

* A subcontractor that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also defined as a Business Associate — the impact of this change is huge.

* The so-called “conduit exception” is now limited to organizations that only transmit PHI (e.g., an Internet Service Provider). Third parties that “maintain and store” PHI (e.g., a cloud storage provider) are now considered Business Associates.

HHS acknowledges in its commentary on the new rule that small businesses might be onerously burdened with HIPAA compliance as they don’t yet have the “formal administrative safeguards” like a risk management program, written policies, documented compliance, etc. Nevertheless, HSS will enforce HIPAA vigorously; and now, state attorneys general can also enforce HIPAA.

Moreover, the penalties for noncompliance are much higher than previously (the maximum penalty for non-compliance has been increased to $1.5M). Check out the new rules now and make a plan for dealing with them if they apply to you. If you’re unsure how to proceed, turn to Pivot Point, we can talk you through your options.


Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

About the Author:

Bob Brown - Senior Security Analyst, ISO 27001 Certified Lead Implementer

Add a Comment

Share This