The HIPAA Omnibus Rule came into effect on January 25, 2013 and requires subcontractors (called Business Associates) who handle PHI (protected health information) on behalf of Covered Entities (CEs) and other Business Associates to be HIPAA compliant.
But what does this mean for you and your business?
The HIPAA Omnibus Rule: Explained
First, the word omnibus is defined as “comprising several items”, which describes this rule well.
The HIPAA Omnibus Rule defines vendors and subcontractors or any entity that handles protected health information (PHI) on behalf of Covered Entities as Business Associates (BAs). Business Associates are required to be compliant with the HIPAA Security Rule, general HIPAA compliance, and any contractual requirements arising from Business Associate Agreements with Covered Entities.
Who is Impacted by the HIPAA Omnibus Rule?
The impact of this rule has resulted in a massive increase in the amount of businesses that need to be HIPAA compliant, and opened up compliance regulations to industries including:
- Software companies
- Medical device manufacturing companies
- Consulting firms
- Accounting firms
- Lawyers
- Medical billers
- Transcriptionists
- And many many more!
Software Companies and the HIPAA Omnibus Rule
The impact of the HIPAA Omnibus Rule has been felt most significantly in the world of software development. Since the passing of the Omnibus Rule, any software company that stores, transmits, uses, discloses, analyzes, captures, manages, or buys healthcare data must sign a Business Associate Agreement (BAA) that states that they will implement all the administrative, technical, physical safeguards outlined in the HIPAA Security Rule and that they will assist their Covered Entity partners in performing their duties with regard to patients’ rights.
Double check your Business Associate Agreements with Covered Entities to identify additional requirements that you may be responsible for in order to assist the CE with their responsibilities including:
- Providing patient access to records
- Amending records
- Limiting disclosures of records
- Maintaining security of records
- Verifying the identity of patients
- Documenting patient’s personal representatives
The Unbroken Chain of Responsibility
One of the most important elements of the HIPAA Omnibus Rule is that it requires an unbroken chain of responsibility for PHI.
The Omnibus Rule also requires Business Associates to obtain a signed Business Associate Agreement (BAA) from their subcontractors and vendors who handle PHI on their behalf. For example, a software company might be a Business Associate to a hospital, but if their software resides in AWS, then the software company must obtain a BAA from Amazon. The requirement for BAs to obtain BAAs from their BAs establishes an unbroken chain of custody and liability for the secure handling of PHI.
“Reasonable Assurance” of Compliance
Additionally, the HIPAA Omnibus Rule requires Covered Entities and Business Associates to obtain “reasonable assurance” that their vendors are able to do the things described a business associate agreement. In other words, how do you know that your vendor really is HIPAA compliant?
“Reasonable assurance” is equivalent to due diligence.
In the healthcare industry, there is no standard for what is reasonable to make you feel sure that a vendor is competent and responsible with patient data. Tests of “reasonable assurance” can be an evaluation of a BA’s risk assessments, a custom security attestation form, or a request for a certification that goes beyond the scope of HIPAA, such as SOC 2 or HiTRUST.
It is critical to remember that liability can flow upward. If you have not done your due diligence and obtained “reasonable assurance”that your business associate is maintaining compliance and your business associate has a data breach, the OCR may consider you liable for putting that patient data at risk.
Example: As a Covered Entity (dentist office) it’s my responsibility to be certain that I am “reasonably assured” that my vendor (network service provider) is compliant with their BAA, including a clause that says they will get BAAs from their vendors (development firms). This can be achieved through questions in a vendor evaluation form.
The important thing to remember is that only YOU can prevent a data breach, and the HHS agrees and will hold you responsible for that.
Takeaways
- The HIPAA Omnibus Rule requires vendors, subcontractors, or any entity that handles protected health information (PHI) on behalf of covered entities to also be compliant with the HIPAA Security Rule.
- This rule resulted in a massive increase in the amount of businesses that need to be HIPAA compliant, and an unbroken chain of responsibility between business associates handling patient data.
- Liability can flow upward, so it is critical to have “reasonable assurance” beyond signed BAAs.
Have you done your due diligence? Is someone doing due diligence on you? We can help sort this mess out.
Contact us today at (503)-389-5666 or info@gazelleconsulting.org!