From: HealthITSecurity
Patrick Ouellette
Though the HIPAA Omnibus Rule compliance date was Monday, the areas of the rule that the Center for Democracy & Technology (CDT) highlighted last Thursday are still relevant for organizations that touch protected health information (PHI) in some form.
CDT Health Privacy Project Director Deven McGraw, who has great experience in working with patient privacy laws and policy, explained during a media briefing why expanded accountability for adhering to federal health privacy and security rules is an important piece to HIPAA.
New responsbilities for business associates and subcontractors
One of the most important changes to HIPAA, in [CDT and McGraw’s] opinion was the extension of accountability for complying with the HIPAA Privacy and Security Rules to business associates (BAs) and subcontractors.
The new responsibilities are a departure from when covered entities were held liable by regulators and there is now a chain of accountability that in some ways follows the patient’s identifiable health information. The new rules are a change especially for some of the smaller BAs, many of whom will be new to HIPAA regulations, said McGraw.
While I don’t know exactly what OCR’s plan for auditing BAs will be, I hope that they would start my extending the audit program from just covered entities to BAs. If you look at some Office for Civil Rights (OCR) comments, some are concerned with BA activities but had felt constrained to move forward with any additional action given their commitment to not enforce the rule until 180 days after it was published. It will be interesting to see where they go in that area.
Who is a BA?
Other BA clarifications that CDT found to be helpful were explanations from the Department of Health and Human Services (HHS) as to who and who isn’t a BA. If, for example, you’re a medical provider using a cloud-based service for your EHR, the HIPAA omnibus rule made it clear that the provider is a BA and needs a business associate agreement. (CDT recently explored the ways in which HIPAA and cloud computing intersect for organizations in a FAQ.)
Another important piece for McGraw was [HHS] explaining what constitutes a PHI breach that requires a patient to be notified.
Leave a Reply