A final deadline for the HIPAA Omnibus rule is quickly approaching in which healthcare organizations must make sure business associate agreements are revised and ready by Sept. 22.
That date is key because, as healthcare compliance attorney Betsy Hodge says in an interview with HealthcareInfoSecurity.com, there was a grandfather provision in the original omnibus rule for existing business associate agreements. Organizations were given another year to revise agreements under the final HIPAA omnibus rule, and that deadline is now less than a month away.
Those revisions are paramount because under the the rule, business associates and subcontractors that work with covered entities now are accountable for privacy and security of personal health information.
To meet the deadline, Hodge says, covered entities and business associates should identify all of their business associates or subcontractors so they know with whom they have to work. Hodge also said they should review any existing agreements to make sure that they are complaint.
As far as the potential for mistakes with these kind of agreements, Hodge tells HealthcareInfoSecurity.com that companies sometimes view them as just another "check the box formality."
"They are not thinking about what risk they have with the particular party on the other side with whom they are negotiating," she says. "And so the business associate agreement may not reflect or properly allocate risk among the parties."
They also don't always think about where their data may go once it's in the hands of a business association or subcontractor, she says, including if the information may be offshored and complications that could arise if data goes outside the U.S.
The final rule is one that hospital leaders have said will be a challenge.
"On one hand we have 'protect, protect, protect' and on the other hand we have 'share, share, share,'" Todd Richardson, vice president and CIO of Wausau, Wisconsin-based nonprofit health system Aspirus, Inc told FierceHealthIT at the time the rule was announced. "While the balance is 'protect and share,' the devil is always in the details. The reality is that all of the information is not under the tight control of the covered entity."
To learn more:
- listen to the HealthcareInfoSecurity.com interview