The passing of the Omnibus Rule extended HIPAA’s reach to include business associates of HIPAA-covered bodies and requires them to comply with the same set of standards as the healthcare organizations with which they work.
Business Associates are defined as any organization or individual that is required to work with, view or come into contact with Protected Health Information. This means the providers of hosting or data storage services will now be included under HIPAA and will be required to sign a business agreement that states they will adhere to HIPAA regulations. They will also be subject to financial sanctions if the Department of Health and Human Services locates any non-compliance issues.
The new rule was brought in to ensure patient health data is kept safe and in the case of business associates the alteration in legislation is long overdue. BAs are responsible for the exposure of a considerable amount of patient data and since HIPAA was brought in, BAs have been responsible for 22% of all security breaches according to an analysis of HHS breach reports conducted by Profitable Practice.
The research also found that when business associates have been liable for a security breach, the volume of data exposed is considerable. While 22 percent of HIPAA breaches were caused by BA’s, 48% of the 26.8 million individuals affected by security violations had their data exposed as a result of a BA security weakness.
The new rule makes BAs responsible for their actions – or lack of them – and it should minimize the number of data breaches happening as a result of BAs. BAs are also responsible for any subcontractors they use and must take responsibility for their activities and ensure they too are aware of HIPAA regulations and a BA is completed.
Any business associate that does not believe they have the policies and procedures in place to deal with the new HIPAA regulations should act quickly. It is not too late to become HIPAA compliant, although the deadline for putting in place policies and strategies is fast approaching. Any HIPAA violation or non-compliance issue found after the Sept 23 deadline could result in a financial sanction being issued by the OCR of up to $1.5 million per year, while individual violations now carry a maximum penalty of $50,000 per incident.
If you have any questions about the new regulations and what action needs to be taken you should seek legal guidance from an attorney who specializes in healthcare compliance. A full risk analysis must be completed to decide whether any security risks exist and details of the steps taken to protect data should be fully recorded.