HIPAA Omnibus Rule’s Impact on Medical Practice Vendors

Posted on 08.06.13

HIPAA Omnibus Rule - Richmond CPA Author: Benjamin A. Sady, Senior Manager, Risk Advisory Services

The HIPAA Omnibus Rule became effective on March 26, 2013.  There is a 180 day window for Covered Entities and Business Associates to become compliant with most of the final rule.  That means compliance must be achieved by September 23, 2013, no matter the size of the company.

Regarding vendors of medical practices, the final rule clarifies the definition of a Business Associate and makes Business Associates directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.

The rule provides examples of what constitutes a Business Associate and it defines them as companies that creates, receives, maintains, or transmits protected health information on behalf of a Covered Entity.  Those services might include: document storage, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, financial services, processing or administration, data analysis, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing.

Previously, depending on who you talked to, there was some discussion as to whether these types of companies were Business Associates. The final rule clears that up and that means that these various companies that provide services to medical practices and hospital systems must be in compliance with certain HIPAA rules by September 23, 2013.

Additionally, the rule takes the compliance requirement down a level to the Subcontractor.  A Subcontractor who creates, receives, maintains, or transmits Protected Health Information on behalf of a Business Associate, is then considered a Business Associate themselves and must comply with applicable rules by September 23, 2013.

Regarding “satisfactory assurances”, Covered Entities are required to obtain assurance from their Business Associates that their Protected Health Information will be protected, as required by the rules.  Again, taking it down a level, the rule indicates that  Business Associates are required to obtain the same assurance from their Subcontractors / Business Associates.

The updated definition of a Business Associate and who is “on the hook” for compliance is a significant clarification.  As such, there are many Business Associates that previously did not consider themselves in scope, but now need ramp up their HIPAA knowledge and policies in a very short timeframe.  By September 23, 2013, to be exact.

Questions on this topic? Contact your Keiter representative or Ben Sady, bsady@keitercpa.com | 804.273.6251 for more information