Some business associates (BAs) have been around a long time serving all or mostly healthcare clients. For those companies, the ins and outs of the HIPAA Final Omnibus Rule of 2013—which expanded the definition of a BA and added new requirements—may be old hat.
But many other companies outside the healthcare industry may not understand all the obligations related to being a BA. We’re talking about a cloud services provider, for instance, that is storing protected health information (PHI). Or a Web designer that has access to patient records when working on a clinic’s website. Any company that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity (CE) qualifies as a BA, along with those that manage PHI.
Many of these companies may not even realize that they are considered a BA, or perhaps more likely, they know and push it out of mind because the risks seem remote (even if they’re not). BAs may also be overwhelmed by the complexity of complying with the Final Omnibus Rule, which includes separate HITECH Privacy, Security, and Breach Notification Rules.
Here, then, are three tips to help BAs navigate the sometimes complicated waters of the Final Omnibus Rule and its specific guidelines for BAs.
Tip #1: Know the Regulations
Obvious, right? But if you’re a new BA or serve a limited number of healthcare clients, you may not have taken the time to read through the Omnibus Rule and understand all its requirements. You should.
As a BA, you are subject to many of the same compliance requirements as CEs, and similar repercussions. The Office for Civil Rights can audit BAs for compliance, and if you fail to comply, you could face regulatory fines, civil money penalties, lawsuits, and corrective action plans.
It therefore makes a lot of sense to know what the HITECH Privacy, Security, and Breach Notification Rules are, long before getting audited or suffering a breach. Yes, there are 57 requirements under the Security Rule alone, but you may already be in compliance with all or most. Just take the time to make sure.
Tip #2: Know the Contract
By legal definition, an organization can be a BA even without a BA contract with a covered entity or other BA. Those instances are rare, however. Usually, if you are a BA, you will have signed a contract—and you need to fully understand the terms of that contract.
The contract should, for example, spell out how to coordinate breach notification activities. As a BA, you will be obligated to notify the CE if a breach occurs, but the timeframe for notification depends on the terms of your contract. The CE must notify the affected individuals, but you have to look through your contract to find out how those notifications will occur and who will pay for them.
Tip #3: Have a Strategy to Assess Incidents
Whatever the breach notification details of your BA contract, you first have to determine if an incident rises to the level of requiring notification to the CE. To make that determination, BAs have to work through the four-factor risk assessment process specified in the Breach Notification Rule. That process includes:
The CE will have the final say on whether individuals must be notified of a data breach, but the BA needs to determine which incidents to report to them—it certainly doesn’t look good to over report or underreport. And it looks even worse to be caught entirely unaware of this and other BA responsibilities.
As president and co-founder of ID Experts, Rick is an expert in privacy and information security, with extensive experience leading organizations to address the growing problem of protecting PHI/PII and remediating privacy incidents, identity theft, and medical identity theft. With over 30 years of experience in the technology industry, Rick leads and participates in several cross-industry data privacy groups, speaks at conferences and webinars, and regularly contributes articles to industry and business publications.
Originally posted on the ID Experts blog.