In 2013, the final Omnibus Rule becomes effective on March 26, 2013, requires Covered Entities (CEs) and Business Associates (BAs) of all sizes to follow HIPAA compliance with most of the HIPAA rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule.
These days most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other individuals or businesses. Health & Human Services (HHS) defines this type of service provider as a BA, as defined in 45 CFR 160.103.
CEs and BAs, in accordance with § 164.306, must ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the CE or BA create, receive, maintain, or transmit on the CE’s behalf only if the CE obtains satisfactory assurances, in accordance with § 164.314(a) that the BA will appropriately safeguard the information.
Every CE must document that their BAs are HIPAA compliant, this requirement includes documentation of their workforce training, and they have HIPAA compliant security policies in place and that they there is an incident reporting procedure in place between your practice and the BA.
And don’t forget to document your findings – If it’s not documented, it didn’t happen!
Who Has to Comply?
Any healthcare provider, health plan, or healthcare clearinghouse that transmits any information in an electronic form in connection with transactions for which HHS has adopted a standard. For example, hospitals, academic medical centers, physicians, pharmacies, and other healthcare providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. CEs can be institutions, organizations, or individuals.
A BA is a person or entity including subcontractors, other than a member of the workforce of a CE, who performs functions or activities that involve access by the BA to PHI. BAs are also subcontractor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of another BA.
An entity to which a BA delegates a function, activity, or service, other than as a member of the BAs workforce.
There is no limit to the number of subcontractors that may be liable, because a subcontractor might delegate functions to other subcontractors, creating a chain of BA entities.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today AND to learn more about our FREE monthly webinar.