As Brian Horowitz writes in his article on eWeek:
“Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final “omnibus” rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17.”
While this is not entirely new information, and those who know Kali Systems know that we have been promoting this fact for quite some time now, the news really is that the regulators are focusing on this now – and have a meaningful enforcement arm (the Office of Civil Rights) and a penalty structure which is, frankly, quite intimidating.
The article also states:
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”
The IT vendors that healthcare practices use will often have access to their EHR, be responsible for data backup and otherwise have broad access to a great many forms of ePHI in the practice. That privilege comes with some serious responsibility and obligation to comply on the part of the vendor. The practice is ultimately responsible for assuring that their vendors meet the standards and have compliant Business Associate Agreements in place prior to providing access to protected data.
The Risk Assessment process, as outlined by HHS guidelines, clearly includes a review of all Business Associates as part of the process. Our Risk Assessment product covers this requirement, along with other requirements necessary for Meaningful Use attestation.
Please see full eWeek article by Brian Horowitz here: