The HIPAA Omnibus rule has now brought business associates and subcontractors under its gamut, making it mandatory for them to comply with the requirements of the final rule, or face stiff penalties. So business associates and subcontractors are now bound to conduct risk assessments and make appropriate use of encryption along with other precautionary measures just like their healthcare counterparts, to ensure complete compliance with the final rule by end of September this year.
This makes it necessary for business associates and subcontractors of healthcare entities to take immediate steps, including documenting their security and privacy practices. The security measures taken by business associates and subcontractors so far will not be sufficient, as the final rule makes them accountable for the protection of private health information as much as covered entities are. This clearly means that all covered entities will now relook at their agreements with business associates who in turn will update and modify their agreements with subcontractors to suit the requirements of the final HIPAA rule.
One of the noteworthy consequences of the final rule is that more and more business associate agreements are now seen to be transferring all the costs of breach remediation to business associates in cases where they are responsible for a breach. Therefore business associates and subcontractors now have a big burden to carry on their shoulders. How can they manage this new compliance responsibility? What are the measures they need to take to prepare themselves? Here are some immediate steps that have to be taken:
- Identifying a privacy expert who can manage matters of privacy and security in the organization
- Encrypting all devices that store or process patient health information
- Documenting privacy and security practices and risk analysis measures
- Assessing and identifying means to provide patients with accounting of disclosures of their health information
- Adopting privacy and security management platforms like Aegify Security Posture Management and Aegify SecureGRC which can simplify compliance with HIPAA to a large extent.
Since business associates and subcontractors are also now completely bound by HIPAA, they are also subject to random audits by the Department of Health and Human Services in the near future. Hence implementing the above measures should be of top priority for business associates and subcontractors if they wish to avert security threats, prevent data breaches, and avoid consequent legal action.