Although HIPAA is celebrating its tenth birthday this year, many independent agents are now paying attention for the first time thanks to the groundbreaking HIPAA Omnibus Rule.

Effective Sept. 23, the Omnibus Rule will not only dramatically increase both enforcement and penalties for noncompliance, but also cast a much wider net when it comes to affected entities—a factor that has recently thrust the Business Associate Agreement into the spotlight.

While the notion of Business Associate Agreements is nothing new, at least one stipulation of the upcoming rule will drastically alter the HIPAA landscape. “The newsflash is the notion that independent agents and brokers have got to look downstream,” says Bob Chaput, CEO and founder of Clearwater Compliance LLC, a boutique software and consulting company that focuses solely on assisting health care organizations and business associates with HIPAA compliance.

Chaput explains that the HIPAA hierarchy previously consisted of three basic levels: “covered entities” like hospitals, medical practices and pharmacies on top; “business associates” like law firms and insurance agencies in the middle and third-party vendors like portal providers and data analytics firms at the bottom. But now, that pyramid of responsibility will extend even further.

Beginning this year, independent agencies will be required to document interactions with every single entity involved in both the direct and indirect exchange of personal information. That means an agency must sign an agreement with not only its own analytics firm, but also the IT group with which that firm shares personal information, and so on—creating what Chaput calls an “endless chain of trust.”

“The agency is sending [personal] information all over the place,” says Bill Larson, president of consulting firm Profit Protection Risk Management Consultants. “So the problem is—wherever I send that client information—if that third party had a breach somewhere and I do not have that Business Associate Agreement in place stating they are going to hold me harmless, then it will all roll back to the agency.”

And that’s not a position in which any agency wants to find itself. Chaput says “there are far more sources of risk and liability than simply being penalized by the feds”—which, this year, already involves an increase in penalty fines from a maximum of $25,000 to $1.5 million.

Now, independent agencies could suffer blows from “all directions,” says Chaput: In addition to fines associated with federal regulations, an agency might be subject to state and local privacy or security regulations and penalties, as well as individual or class action lawsuits.

Even if agents manage to escape penalty fines, the costs associated with the data breach notification process alone could “bury the agency,” says Larson. “I don’t want to sound like Chicken Little here, but chances are that if an agency is not prepared, they’re literally going to die.”

To avoid that fallout, Chaput recommends that agencies tackle Business Associate Agreements as one key stage in a basic seven-step process for HIPAA compliance. Doing so begins with forming a “cross-functional team” that engages employees at multiple levels, before agents “inventory all [their] people downstream” and “rank them according to risk,” Chaput says.

Agents should then take steps to manage their downstream Business Associate Agreements by:

• Putting all third parties on notice that the agency is getting very serious about compliance
• Conducting a meeting with all third parties, whether virtually or in person
• Updating all existing Business Associate Agreements

With less than two weeks until the HIPAA Omnibus Rule takes effect, most agencies will be hard-pressed to take all necessary compliance steps in full. But while getting Business Associate Agreements in line is just one piece of the puzzle, it's one way to prove that your agency is at least trying to achieve compliance—and that’s most important, Chaput says.

“Some people say to us, ‘Look, we are so busy, I don’t have time to do seven things. What are you, nuts? I’m trying to run a business here,’” Chaput says. “And we say okay, we get that. Pick one, pick two. But whatever you pick, make sure you are in a position of being able to demonstrate good faith effort.”

Jacquelyn Connelly is IA assistant editor.