As hospitals race to ensure they're complying with Sept. 23 deadline for the HIPAA Omnibus Rule, North Carolina's CaroMont Health is among the organizations trying to track down all its business associate contracts.
The new rule applies to business associates and their subcontractors who deal with personal health information. New contracts and renewals since the rule was enacted in January must be in compliance by Sept. 23, but the deadline is a year later for existing contracts.
For the 435-bed hospital in Gastonia, N.C., that means tracking down an array of business associates, since much of its growth has been through mergers and acquisitions. Besides the hospital, it has 45 primary care and specialty care practices, as well as a hospice and skilled nursing center, according to a case study at HealthcareInfoSecurity.
It has identified more than 250 business associates, but that number is expected to grow. So far, it has not terminated any relationships, but there have been "strong negotiations back and forth" on some issues, according to the article. For instance, CaroMont is requiring business associates to provide notice of a breach within five days and that information be encrypted, even though the HIPAA rule does not make encryption mandatory.
Amid concerns that many organizations don't really understand HIPAA, HHS has said it will offer guidance and technical assistance to covered entities and business associates with reservations about the updated omnibus rule.
Some software companies have argued that they aren't business associates and have balked at complying, FierceEMR reports. Yet they have access to patient information through upgrades, staff training and the like.
Nonprofits, too, can fall under the rule, according to authors from the law firm Venable in a post at Lexology that explains what those organizations need to be doing.