Kusserow’s Corner: Reminder and Tips on Meeting HIPAA Business Associate Deadline

September 22, 2014, is the deadline to have all business associate (BA) and data use agreements updated to conform to the new HIPAA requirements Omnibus Final Rule, published January 25, 2013, that made changes to the Security Rule, Breach Notification Rule and certain provisions of the Privacy Rule. The Omnibus Rule implements changes under the Health Information Technology for Economic and Clinical Health Act (HITECH) and affects nearly every business in the health care industry as well as those businesses providing services to businesses in the health care industry.  The upcoming deadline affects covered entities (CEs) with business associate agreements (BAAs) that were entered on or before January 25, 2013, and that were not modified after March 26, 2013. These CEs must revise their BAAs by September 23, 2014, as necessary to ensure compliance with the Final Rule. If you are a CE or a BA and have not done so already, you may want to inventory all existing BAAs and related subcontracts. If they were executed on or before January 25, 2013, it is advisable to review them, as revised agreements may be needed.

What all this means is that the final rule extends the application of the HIPAA Security Rule, Breach Notification Rule, and certain provisions of the Privacy Rule (previously only imposed on CEs) directly to BAs, including their subcontractors (or “downstream” BAs), with the potential for enforcement by HHS now directly against the BA.

Business Associates HIPAA Security Rule Applies to:

  • Implementation of administrative, physical, and technical safeguards to protect PHI;
  • Implementation of policies and procedures to comply with HIPAA; and
  • Maintenance of documentation of this compliance.

HIPAA Privacy Rule Requirements include:

  • Limiting uses or disclosures of PHI to only those provided for within BAA or permitted or required under HIPAA;
  • Limiting permissible disclosures or requests for disclosures of PHI to the minimum necessary;
  • Providing PHI to HHS to demonstrate compliance during investigations; and
  • Entering into BAAs with subcontractors that comply with the provisions governing business associate agreements between CEs and BAs.

The Omnibus Rule also incorporates the increased and tiered civil money penalty structure provided by HITECH, with penalties based on the level of negligence and with a maximum penalty of $1.5 million per violation.” Dr. Cornelia Dorfschmid, an expert on the subject, suggests, in light of the fact that most HIPAA “breaches” involve security violations, that special attention be given to conducting the Baseline Security Audit, or redoing it if it was done many months ago.  She notes that “proper controls within the system, particularly with BAs, will avoid a lot of potential problems in the future and some of the most egregious incidents have arisen from the easiest areas to control and protect: lost laptops and flash drives.”  In addition, she notes that the timely reporting of such incidents is critical. Contracts between CEs and BAs must include provisions that require BAs to report to CEs any security incidents of which they become aware. Under the regulations, a ‘security incident’ is defined as “the attempted or successful un-authorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system”.

Suggestions and Tips

  1. Conduct a HIPAA Security Rule risk assessment, redo it if done before;
  2. Review all BAs of a covered entity, or a BA subcontractor to ensure all have up to date BAAs;
  3. Draft/update HIPAA policies and procedures;
  4. Establish/update BAAs to conform with Omnibus Rule changes;
  5. Educate subcontractor BAs about their responsibility and their subcontractors to safeguard PHI so as to mitigate the chance of agents causing upstream liability; and
  6. Conduct HIPAA training on the updated policies.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow’s Corner Newsletter

Copyright © 2014 Strategic Management Services, LLC. Published with permission.