Healthcare Business Associates Demonstrate Limited Understanding of New HIPAA Omnibus Rule

Healthcare Business Associates Demonstrate Limited Understanding of New HIPAA Omnibus Rule

DENVER – Sep. 10, 2013 – Covered entities and business associates in the healthcare industry have until September 23, 2013 to become compliant with the final HIPAA Omnibus Rule that took effect in March. Coalfire, an independent information technology Governance, Risk and Compliance (IT GRC) firm, today released findings from a survey that shows business associates have limited understanding of their responsibilities under the new rule and fewer than half are currently compliant.

While a majority of healthcare business associates said they have assessed their compliance and have an incident response plan in place, fewer than half reported they are currently compliant with the final Omnibus Rule. This may be due to the lack of understanding of the new regulation, as a majority of business associates said they were unaware of their responsibilities under the new provisions. In addition, very few admitted to signing a Business Associate Agreement (BAA), which is required by the final Omnibus Rule.

“With the HIPAA Omnibus Rule's expanded definition of who's a business associate, many vendors falling under the definition don't even realize they are a business associate, so this represents much of the confusion,” said Andrew Hicks, Healthcare Practice Lead at Coalfire. “The Department of Health and Human Services will be actively monitoring and enforcing the rule, so it’s imperative that business associates take the time to educate themselves and their staff about the new requirements in order to become compliant before the deadline.”

Professionals from a variety of organizations that serve the healthcare industry took part in Coalfire’s survey. The findings are outlined below along with recommended actions that business associates should take to become compliant. You can find more information about Coalfire’s survey and the final Omnibus Rule on The Coalfire Blog.

Survey Findings:

• Roughly one-third of the business associates interviewed said they have been asked to sign a new Business Associate Agreement (BAA).
• A majority of business associates reported being somewhat or completely unaware of their new responsibilities under the final Omnibus Rule.
• More than half of business associates said they have assessed compliance with the final Omnibus Rule.
• Fewer than half of business associates report they are compliant with the Omnibus Rule.
• On the positive side, most business associates have a process in place and are set up to report a data breach as required by the Omnibus Rule.

Recommended Actions:

• Revise your policies and procedures and retrain your employees – Many of the changes outlined in the final Omnibus Rule will require revisions to written policies and procedures and the implementation of changes to current practices.
• Assess whether you are subject to a Business Associate Agreement – Business associates’ subcontractors must carefully assess whether they are directly liable under HIPAA.
• Take stock of your vendors and put the proper written agreements in place – Even though existing BAAs may be grandfathered in until Sept. 22, 2014, under certain circumstances, covered entities and business associates should start looking at their agreements and renegotiate them now.
• Audit your compliance –Be sure that you are prepared to face an audit or compliance investigation, that you feel confident about your level of compliance, and that you are in a position to defend your policies, procedures and practices.

Because business associates represent a significant security risk to covered entities, who may need several layers of protection to ensure the security of patient data, they should complete a due diligence investigation of potential business associates before signing a contract. This also applies to business associates as they enter into agreements with subcontractors, now considered business associates under the Omnibus Rule.

“Once contracts are signed, covered entities and business associates should continually monitor the HIPAA compliance of their business associates and subcontractors,” said Hicks.

About Coalfire

Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington D.C. and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire’s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, HITRUST, NERC CIP, Sarbanes-Oxley, FISMA and FedRAMP.