As expected, dissecting the new HITECH Omnibus Rule will be a long and tedious process. Hence, our basic approach is to handle a number of issues at a time to facilitate comprehension and implementation of the required actions.
- Effective date. An effective date is the specific month, day, and year that a law, contract, policy, or treaty becomes enforceable. In this case, the effective date is closely related to implementation date which is the date the changes must be in place which is Mar 26, 2013.
- Compliance date. The Federal Government normally gives the public a time to implement the rules before they enforce the same. In other words, they will not fine or prosecute lacking of compliance until such date. HITECH Omnibus Rule compliance date is September 23, 2013.
- Business Associates. The Omnibus Rule applies all of the HIPAA Security Rule standards and implementation specifications and certain HIPAA Privacy Rule provisions directly to business associates and it adds “subcontractors” to the definition of “business associate” and requires business associates to enter into written contracts with subcontractors that are substantially similar to business associate agreements.
- covered entities cannot disclose protected health information (“PHI”) to business associates without a business associate agreement
- A “business associate” is any person who “creates, receives, maintains, or transmits” PHI on behalf of a covered entity, in order to clarify that any entity that maintains PHI, such as a data storage organization, is a business associate even if it does not access or view the PHI.
- Subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of such business associate shall be treated as a “business associates”. Therefore, these downstream subcontractors will be subject to the same requirements that the first business associate is subject to.
- Each business associate must have a HIPAA compliant BAA in place with its subcontractors, its subcontractor with its own subcontractors, and so forth down the chain of subcontractors no matter how long.
- Breach Notification: Any acquisition, access, use, or disclosure of PHI not permitted under the Privacy Rule is presumed to be a breach unless a covered entity or business associate can demonstrate a low probability that the PHI has been compromised based on a four-factor risk assessment.
- Enforcement: The increased and tiered civil money penalty structure provided by the HITECH Act with penalties based on the level of negligence with a maximum penalty of $1.5 million per violation is now part of the Omnibus rule.
While there is some time available to prepare a couple of months may not be enough to accomplish all the required actions in order to establish even a semblance of compliance. At the same time there is no reason to panic if you follow some simple advice.
- Revise your business associate (BA) agreement in accordance with the changes in the HITECH Omnibus Act and any other previous legislation.
- ALL BUSINESS ASSOCIATE AGREEMENTS ARE OUTDATED!!
- Consider the following points on your BA agreement
- Delineate each party’s rights and responsibilities in the event of a breach
- Include indemnification for costs and damages incurred where a security incident or breach is the business associate’s fault (or the fault of its agent or subcontractor)
- Include representations and warranties from the business associate acknowledging new direct responsibilities under HITECH Omnibus Act
- Include the requirement that a business associate report any Breach of which it becomes aware to the covered entity, in addition to security incidents;
- Include the requirement that a business associate, to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, comply with the requirements that apply to the covered entity in the performance of such obligation; and
- Create or revise if available a list/database of subcontractors
- Define responsibilities of subcontractors and check if they have access to PHI
- Make sure that everyone that have access to PHI signs the revised business associate agreement
Additional steps to follow include but are not limited to:
- Reviewing and updating current HIPAA policies and practices
- Provide ongoing workforce HIPAA training
- Monitor overall HIPAA compliance
- Track the latest developments with HIPAA regulations and federal and state enforcement activities.
Bottomline, don’t delay and consult an expert as this new regulation will challenge even the most seasoned professionals.
Dr. Jose I. Delgado is the President and CEO of Taino Consultants Inc.