The HIPAA Omnibus Rule will go into effect on Sept. 23, promising a much higher degree of enforcement attention on independent agencies and brokerages, which are now considered “Business Associates” under HIPAA.

Now required to conduct periodic audits of both Covered Entities and Business Associates in compliance with HIPAA, the United States Department of Health and Human Services (HHS) joins state attorney generals in being authorized to implement HIPAA-related actions.

Note that a breach of Protected Health Information (PHI) is not required to trigger audit and enforcement action. Rather, the HHS will take action when a Covered Entity or Business Associate has not properly implemented HIPAA compliance requirements.

Who is a Business Associate under HIPAA?  

A “Business Associate” is a person or entity that performs functions involving the use or disclosure of PHI on behalf of, or providing services to, a Covered Entity. To be considered PHI, health information must include elements that can be used to identify the individual to which the information belongs. “Covered Entities” include health plans, health care clearinghouses and certain types of health providers.

Agencies that sell any health insurance products (such as medical, dental, vision, long term care, Medicare supplements) are likely to be considered Business Associates. Their agent agreements will thus include provisions that require them to comply fully with the HIPAA Security Rule, as well as with relevant portions of the HIPAA Privacy and Data Breach Rules.  

How will the HIPAA Omnibus Rule Affect Business Associates?

The HIPAA Omnibus Rule will give full effect to the new HIPAA Privacy and Security compliance requirements contained in the 2009 HITECH Act, which amended HIPAA.

• Business Associates are now subject to the same comprehensive Privacy and Security Rule requirements as Covered Entities, as well as to relevant sections of the HIPAA/HITECH Breach Notification Rule.
• HHS and state attorney generals may now impose substantial fines against Business Associates who do not comply with HIPAA/HITECH. Where there is HIPAA “Willful Neglect”—“conscious, intentional failure or reckless indifference to the obligation to comply”—HHS is obligated to investigate violations and the potential penalties become very severe.
• Business Associates are required to execute Business Associate Agreements with any subcontractors that receive access to their PHI. HSS provides sample Business Associate Agreement provisions.

For an overview of additional changes included in the new HIPAA Omnibus Rule, see “Health Care Providers, HIPAA Privacy and Security Compliance and the Effects of the 2013 HIPAA Omnibus Rule” by Paul Hales.

What Can Agencies do to Prepare?

According to Hales, HHS has focused its enforcement actions on Covered Entities to-date, citing them for “inadequate or no risk analysis and risk management programs, inadequate or no contingency plans [to protect the PHI in the event of loss or disaster], inadequate and incomplete policies, procedures, documentation and ineffective workforce training.”

The HIPAA Omnibus Rule will expand these enforcement actions to Business Associates. To ensure compliancy with stricter standards, Business Associates should:

1. Conduct a Risk Analysis, in which the organization must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the entity.”
2. Implement a HIPAA/HITECH Risk Management Program, which incorporates “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”
3. Complete compliance gap assessments to ensure that the Risk Management Program has addressed all applicable sections of the rules.
4. Develop policies and procedures to implement the HIPAA/HITECH Risk Management Program, covering all applicable standards and implementation specifications in the Privacy, Security and Breach Notification rules.
5. Train employees on the policies and procedures and clearly define the disciplinary consequences if they fail to adhere to the agency’s security policies.
6. Document, document, document, so that you can demonstrate that you have taken all of these steps.
7. Before Sept. 23, execute a Business Associate agreement with any vendor that has access to your PHI.

Due to the complexities of HIPAA, agencies may also want to engage a firm to assist them with their risk analysis and the development of their HIPAA compliance program. To learn more about these resources or to investigate additional tools for preparation, visit the Agents Council for Technology page on the Big “I” website and read the full version of this article.

The ACT HIPAA Work Group is part of the Agents Council for Technology. This article reflects the views of the HIPAA Work Group and should not be construed as an official statement by ACT.