The Coalfire Blog
Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, Retail, Financial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.
The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.
The Coalfire Blog
Business Associates Unprepared for Final HIPAA Omnibus Rule
September 10, 2013, Andrew Hicks, Director, Healthcare Practice Lead
The deadline for the final HIPAA Omnibus Rule is less than a month away, and according to a recent survey conducted by Coalfire, business associates are still confused about their responsibilities under the new rules. In fact, a majority of business associates reported that they are still not fully compliant with the new regulations.
You can see the full results from our survey in the Final Omnibus Rule – Awareness and Compliance Among Healthcare Business Associates paper released today.
It’s imperative that covered entities and business associates take the time to educate themselves on the new rules and put in place the proper policies and procedures to become compliant. Here are steps that business associates should take immediately to achieve compliance before the September 23 deadline:
<< Go Back
Revise your policies and procedures and retrain your employees – Many of the changes to the Omnibus Rule will require revisions to written policies and procedures and the implementation of changes to actual practices. It is essential to become educated about how the Omnibus Rule will affect your organization so you can revise policies and procedures as necessary, and also retrain your workforce on these updates.
Assess whether you are subject to the business associate agreement – Business associates’ subcontractors must carefully assess whether they are directly liable under HIPAA. If they are, they will need to conduct a thorough risk assessment of the methods they use to protect Patient Health Information, implement HIPAA-compliant policies and procedures, train their workforce and enter into BAAs with their own subcontractors. While these tasks require a significant time and financial investment, it may be relatively small in comparison to the potential penalties for noncompliance.
Take stock of your vendors and put the proper written agreements in place – Since the Omnibus Rule mandates that BAAs contain new provisions, existing agreements will need to be revised. Even though existing BAAs may be grandfathered in until Sept. 22, 2014, under certain circumstances, covered entities and business associates should start looking at their agreements and renegotiate them now.
Audit your compliance – Aside from the new requirement and changes to policies, procedures and arrangements, the Omnibus Rule provides a good opportunity for covered entities and business associates to audit their HIPAA compliance. Be sure that you are prepared to face an audit or compliant investigation, that you feel confident about your level of compliance, and that you are in a position to defend your policies, procedures and practices.
Blog post currently doesn't have any comments.