Covered Entities and Business Associates HIPAA Omnibus Rules Requirements
Under the HIPAA / HITECH Omnibus Rules, covered entities need to update their HIPAA compliance programs by September 23rd. One of the major changes under the HIPAA / HITECH Omnibus Rules is related to business associates. Business associates are not considered to be covered entities but have access to patient information. Under HIPAA, business associates can be IT companies, pharmacy benefit managers, insurance brokers, copy machine vendors, shredding companies, etc. Business associates come in contact with protected health information (HIT). Under the HIPAA / HITECH Omnibus Rules, business associates must comply with the HIPAA Security Rule, and many aspects of the HIPAA Privacy Rule. Covered entities must make sure that their business associates comply with all the HIPAA regulations. Just like covered entities, business associates are subject to being audited by the Department of Health and Human Services (HHS).
As part of the HIPAA/HITECH Omnibus Rules, covered entities and business associates must comply with the following or can be found in willful neglect:
1. Develop or Update their Security Policies and Procedures. The HIPAA security Rule establishes national standards to protect electronic personal health information that is created, received, used, or maintained by a covered entity or a business associate. Conducting a risk assessment is the first thing covered entities and business associates must do in order to update their security policies and procedures. A security breach is the highest risk covered entities and business associates need to think about. A security breach can cost a practice more than $1,000,000.00. Covered entities and business associates can protect themselves from a security breach by following the recommendations of a risk analysis.
2. Develop or Update their Privacy Policies and Procedures. The privacy rule protects all “individually identifiable health information” held or transmitted by a covered entity or a business associate in any form or media, whether electronic, paper, or oral when combined with treatment, payment, or operations information. There are new changes that have been put in place under the new HIPAA / HITECH Omnibus Rules. The privacy rule has put in place a standard to determine whether a security breach has taken place.
3. Update their current business associate agreement. Business associates must put in place a business associate agreement with all their sub-contractors. Covered entities do not need to have an updated business associate agreement until September 22, 2014.
4. Put in place or update HIPAA Notice of Privacy Practices (NPP). Covered entities and business associates are required to update their NPP with the latest HIPAA / HITECH Omnibus rules changes by September 23, 2013. The updated NPP will provide patients an update on all their rights and all the restrictions under the Omnibus Rules. The NPP must be posted on the covered entities web site. NPP must be posted in the office and must be made available to all patients.
5. Conduct HIPAA yearly training. Training of the staff in the office must be conducted on a yearly basis and it must be documented. Covered entities and business associates are not expected to know every single detail of HIPAA regulations, but must have a general knowledge of HIPAA and where to find resources in the case a HIPAA related matter needs to be addressed.
At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.
For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.
At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro