Are you ready for September 23, 2013? That’s when full enforcement of the Omnibus Rule modifying HIPAA goes into effect. While there are many areas of compliance contemplated under this watershed shift in regulation one of the most important to consider, whether you are a private practice, a hospital, an insurance broker, or even just someone who works with any of these groups is the new regulations regarding Business Associates Agreements (BAAs).
You probably already know that BAAs are essentially contracts designed to ensure compliance with the law, and responsible behavior with the handling of Private Health Information (PHI). These agreements require, for instance, an insurance broker to contractually agree to handle any PHI of the practices they represent in accordance with all legal stipulations under HIPAA and other applicable laws and regulations. Further, they provide security for the originator of the PHI, creating a situation in which failure to comply with the law on the part of a business associate with whom a BAA exists means that liability rests with the business associate as opposed to devolving back to the practice.
Well, under the new provisions the need for BAAs expands dramatically. Now the chain does not simply stop with the insurance companies, brokers, and third party services that are in immediate relationship with the covered entities (the practices, hospitals, etc.). Now the chain of business associate agreements is required to continue on down the line, meaning that not only should the primary originators of PHI have BAAs with their insurers, brokers, etc., but they should seek to ensure that those organizations are also securing BAAs with anyone with whom they contract or cooperate in such a way that PHI is shared further down the line. This means data storage organizations and facilities, software providers, IT groups, and more.
While the details of who will and won’t be considered a business associate, and thus require a BAA when PHI is involved are too complicated to deal with exhaustively here, the first step is simply being aware of the change. Now that you know you can go to places like this HHS site and figure out how the law will apply to you in the details. Once you have an understanding of what kinds of entities you or others in your professional network may need to obtain BAAs with under the new law you can set to work creating a list. Then, with the help of an attorney you can most likely come up with a single, or at least just a few, generic BAAs that you can then modify as needed to suit your different business relationships.
While compliance with regulations and keeping abreast of changes in the law is never particularly fun, it can save you a lot of trouble down the line. As mentioned at the beginning of this article, while this rule is technically already in effect, enforcement will become much more aggressive when the grace period ends next week, starting on Monday the 23rd. Not only that but under the new Omnibus rule the maximum penalty for non-compliance goes from an already substantial $25k, to an astonishing $1.5M. So, like it or not, everyone is best off being aware of the changes and preparing now.