Share this article on:
The Omnibus Rule has now been in effect for a week and is an amendment to HIPAA regulations which requires all Business Associate Agreements to be HIPAA-compliant. Any new BAA’s issued – or those issued after Sept 23, 2014 – must comply with the HIPAA Omnibus Rule; however the same applies to any business agreements already in place. Existing agreements must also be updated to take the new Omnibus Rule into account.
If any agreements have not been updated, the HHS’ OCR will consider this a HIPAA violation and would be within its rights to issue a financial penalty for each agreement that does not comply with the new rule. It is therefore essential that healthcare organizations perform a full review of all BAA’s currently active and address any non-compliance issues.
Issuing HIPAA Compliant Business Associate Agreements
A HIPAA-compliant BAA must be issued and signed by a Business Associate (BA) to ensure that PHI is properly protected. A Business Associate is classed as any individual, company, organization or other entity that performs a function, offers a service or conducts activities on behalf of a covered entity which requires access to Protected Health Information (PHI). It is important to note that ‘entity’ includes e-prescribing gateways and software that accesses PHI data.
Failure to comply with the BAA or adhere to its terms will see the business associate liable. Liability means financial penalties will be incurred for non-compliance issues and the BA could potentially face criminal charges for the disclosure of confidential PHI to unauthorized third parties.
What Must be Included in a BAA?
Information must also be provided on how the data must be treated on completion or termination of the contract. The data must ideally be returned or must be permanently destroyed. It must also be stated that in the event of a violation of a material term of the contract, the covered entity has the right to terminate that contract.
Immediate Action Required
If you have not reviewed your BAAs to account for the Omnibus Rule you are committing a HIPAA violation and can face financial penalties for each violation committed. Consult the HHS website for further information on BAAs and the Omnibus rule and ensure all business associates are aware of the new regulations and agree to abide by its terms.