Covered entities (healthcare providers) have until Sept. 23, 2013 to implement all the policies and procedures under the Omnibus rules. These policies and procedures are required in order to comply with all the changes that have been made to the Health Insurance Portability and Accountability Act (HIPAA).
The OCR department of Health and Human Services (HHS) released the final omnibus rules in January of 2013 and will start enforcing these rules on Sept. 23, 2013. HHS has made it clear that penalties can range between $100 to $1,500,000.00, depending on the type of violation that the covered entity has committed.
One of the most important changes that come with the final omnibus rule are with covered entities relations with their business associates. These rules affect the working relations that exist between a covered entity and its business associates. Business associates are those vendors that have access to a covered entity’s Protected Health Information (PHI). With the new rules, business associates are responsible to secure PHI just like covered entities are. In other words, business associates need to be HIPAA Compliant and can face the same kind of penalties covered entities face. With the Omnibus Rules, vendors that have access to PHI need to comply with all the HIPAA regulations.
Even though a covered entity’s business associates are required to be HIPAA compliant, in the case of a breach on the part of the business associate, the covered entity is responsible for sending notifications to its patients and for reporting the breach to HHS.
Covered entities must review all their business associate contracts to make sure that these are updated to meet all the omnibus requirements. Business associates such as health information technology companies and consultants have put in place business associate agreements that does not make them responsible for the loss of patient data. With the final omnibus rules, business associates need to sign agreements that abide by the final omnibus rules. Medical practices must make sure that all their business associate agreements are updated and signed.
At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we provide updated business associate agreements. We also help medical practices Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.
For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.