It has been one year since the HIPAA Omnibus regulations went into full effect, but today marks the date that all business associate contracts must be conformant. With the enactment of HIPAA Omnibus in 2013, modifications to the Privacy and Security Rule expanded the definition of business associates to include any vendor that creates, receives, maintains or transmits PHI on behalf of a provider or another business associate.
The Omnibus Rule goes to great lengths to clearly identify the criteria for defining a business associate. In the past, HIPAA rules were primarily aimed at “covered entities” – hospitals and other care providers. The third parties who handle or process PHI – business associates – had to comply by contract, but faced no direct enforcement. With the enactment of the Omnibus Rule, covered entitles were responsible to enter into a compliant HIPAA agreement with all business associates; September 23rd, 2014 marks the date that all covered entity and business associate contracts must have business associate contracts that conform to the changes in the HIPAA privacy, security and breach notification rules.
As hospitals and care providers evaluate their prospective business associates relationships, it is also important for them to ask some key questions about their vendors’ agents and subcontractors. With the use and disclosure of PHI, HIPAA regulations require that business associates hold their agents and subcontractors to the same conditions as the covered entities and business associates. Some key considerations for evaluating prospective vendors include:
- Ensuring that vendors have signed contracts with their subcontractors and agents that explicitly state expectations regarding privacy and security compliance; covered entities should also ask for specifics on how the vendor audits subcontractors to validate compliance.
- Understanding the policies and procedures that the vendor has put in place to monitor the use or disclosure of PHI. Do they have regular reviews of their procedures? Are there clear processes for notifying the covered entity in the event of a breach?
- Determining the vendors’ policies regarding employee training procedures. Employee training and documented processes help ensure that PHI is handled properly.
As we acknowledge the Omnibus Rule anniversary date and prepare for the upcoming AHIMA National Conference (#AHIMA85th and #AHIMACon14), we can celebrate the advances in Health Information Management and the initiatives in place that are helping to establish higher levels of security and protection.