The HIPAA Omnibus rule has made significant impact on the healthcare industry. It has created a complex chain of compliance liability for covered entities, their business associates and subcontractors, who are all now equally accountable for the protection of private health information, and responsible for the compliance conduct of their ‘downstream’ partners under certain circumstances, according to Data Security attorney Stephen Wu.
This would mean that every healthcare entity is responsible for the conduct of their downstream business associate if this business associate is an ‘agent’ of the hospital, who has received instructions from the covered entity about how to perform various functions. So according to Stephen Wu, in the event of a breach where the ‘agent’, i.e. the business associate of a hospital is at fault, the hospital itself could face civil penalties for the breach.
Since the final HIPAA rule redefines ‘business associates’, a whole range of companies, including health information organizations and e-prescribing gateways fall under this category. All these organizations are now bound by HIPAA and have to fulfill the requirements of the rule. Moreover, the HIPAA Omnibus rule has a multi-level impact on the healthcare industry, and it necessitates modifications in the agreements made by covered entities and business associates to cover the new HIPAA compliance responsibilities.
Therefore vendors providing services to healthcare entities have to firstly determine if they qualify as a business associate under the new definition in HIPAA Omnibus, and if they do, they have to take immediate steps to comply with the requirements of the rule. However, compliance with HIPAA can be made much simpler by adopting Aegify Security Posture Management and Aegify SecureGRC which can ensure complete protection of patient information and also offer full-fledged support for meeting the compliance requirements of HIPAA.