Business Associate


The Final Omnibus Rule Sept 23, 2013 is an important date for Medical Practices as this is the day when the government will start enforcing the Omnibus Rules changes made to the Health Insurance Portability and Accountability Act (HIPAA). The changes that were made as part of the Omnibus Rule relate to how medical practices are securing Protected Health Information (PHI), whether medical practices have updated the Business Associate (BA) agreements and what medical practices need to communicate with their patients in terms of their privacy rights.

The new changes under the final Omnibus Rule Sept 23, 2013 were put in effect in March of 2013. However, covered entities were given 6 months to review their HIPAA plans and comply. The department on Health and Human Services (HHS) updated the HIPAA regulations under the final Omnibus Rule as a way to account for the wider use of electronic health records by medical providers.

In order to comply with the new regulations medical practices are required to:

1.Perform a risk analysis to find out vulnerabilities with PHI. Medical practices are expected to document that they have completed a risk analysis. Practices that complete a risk analysis will have a risk management report that provides the vulnerabilities of their electronic PHI.

2.Encrypt devices that store PHI so that this information can’t be used in case that the devices are lost or stolen.
3.Develop and review policies and procedures that the medical practice will need to follow in the case that PHI is breached (lost, stolen or inappropriately disclosed).

4.Review the BA agreements with their current vendors. Updated BA agreements are required for all vendors that have access to PHI. Medical practices need to ensure that their BAs have put in place all the required safeguards to secure PHI.

The breach of PHI brings hefty fines to medical practices that are found in willful neglect. The fines range from $100 to $50,000. The fines can go higher depending on the size of the medical practice and the type of breach.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .

More information on the updates made under the omnibus rule visit: HHS

This post used as reference an article published by Medical Economics – A quick guide to HIPAA compliance for Physicians published on July 10, 2013.


The department of Health and Human Services (HHS) defines a Business Associate as a person or an entity that performs certain functions or activities that involve the use or disclosure of patient protected health information (PHI) on behalf of a covered entity. A business associate is not an employee of a covered entity, but someone who provides services to a covered entity. Some example of business associates are a covered health care provider, a health plan, or a health care clearinghouse. The HHS describes functions or activities such as the payment of health care operation activities as what may make a person or entity a business associate.

Some business associate activities include: claim processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management and re-pricing. Some business associate services are legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation and financial.
Most health care providers and health plans do not carry all their health care activities and functions by themselves and require to outsource those activities and functions to other persons or entities also known as business associates. The HIPAA Privacy Rule applies only to covered entities and it allows health care providers and health plans to disclose PHI to business associates as long as the health care providers or health plans are properly assured that the business associates will use the PHI only for the purpose for which it was contracted by the covered entity. Business associates are responsible for safeguarding PHI from misuse and will help the covered entities they work with comply with some of the covered entities responsibilities under the Privacy Rule. A covered entity may disclose PHI to a business associate only to help the covered entity carry out its health care functions.

As part of the final omnibus rule, the Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associates that the business associates will appropriately safeguard the PHI it receives or creates on behalf of the covered entity. The covered entity must perform it due diligence and make sure that its business associates are HIPAA compliant. According to the HHS, satisfactory assurances must be made in writing between the covered entity and the business associate.

Vitruvian MedPro’s HIPAA compliance kit helps covered entities with the most updated business associates agreements that cover all the requirements that have been put in place in the final Omnibus Rule.

For more information on business associates visit the HHS site at Business Associate Definition .

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .