The deadline for health care providers for compliance with the Omnibus Final Rule is fast approaching. Covered entities and their business associates generally have until Sept. 23 to comply with the amendments to regulations promulgated by the U.S. Department of Health and Human Services, released pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination (GINA) Act of 2008. The Omnibus Final Rule makes significant changes to the privacy and security obligations of covered entities and their business associates with respect to patients’ protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).
Dialysis centers and nephrology practices as covered entities should take the following steps to minimize the risks of non-compliance with the requirements of the Omnibus Final Rule.
- Update your notice of privacy practices
- Review and update your HIPAA policies and procedures
- Conduct training for all applicable workforce members regarding the Omnibus Final Rule updates
- Ensure that all business associate agreements (BAAs) satisfy the updated requirements.
One of the more burdensome of these compliance tasks is ensuring that all business associate agreements (BAAs) satisfy the Omnibus Final Rule requirements. In general, covered entities such as dialysis centers and nephrology practices must enter into new BAAs or modify existing BAAs with their business associates by September 23. However, existing BAAs that 1) were entered into on or before January 25, 2013; 2) meet the requirements that were applicable prior to the promulgation of the Omnibus Final Rule; and 3) were not modified after March 26, 2013, do not have to be updated until Sept. 23, 2014. For example, a dialysis center with a long-standing medical director arrangement may rely on the grandfathering exception, provided that the existing BAA is compliant with the old rules and there have been no changes to the BAA since March 26, 2013. Otherwise, the exception will not apply to the arrangement, and a new BAA should be executed by Sept. 23, 2013.
Dialysis centers and nephrology practices will also need to evaluate whether the new definition of “business associate” creates additional business associate relationships. The Omnibus Final Rule contains a number of modifications and clarifications that are significant for defining who qualifies as a business associate of a covered entity under HIPAA. In the Omnibus Final Rule, HHS 1) clarifies that data storage providers that maintain PHI on behalf of covered entities or business associates on a long-term basis qualify as business associates under HIPAA, and 2) expands the definition of business associate to include subcontractors of business associates. Accordingly, dialysis centers and nephrology practices should ensure that they have entered into a compliant BAA with any service provider to whom they have entrusted PHI, such as a cloud storage provider or an electronic health record vendor. In addition, all downstream vendors with access to PHI must sign a compliant BAA with the business associate to whom the vendor provides services, no matter how many vendors are interposed between the covered entity and such downstream vendor. While the dialysis center or nephrology practice is not required to sign or track such BAAs, they should be aware that both contractual and statutory obligations flow to the downstream vendor under the Omnibus Final Rule.
The following are recommended steps evaluating and updating BAAs.
- Update the entity’s form BAA to ensure compliance with the Omnibus Final Rule. This may also be a good opportunity to consider whether the protections and restrictions in the form agreement go far enough in protecting patients and the dialysis center or nephrology practice.
- Conduct an inventory of all current BAAs. Each of these BAAs will need to be modified by an amendment or replaced with a revised BAA by the deadlines described above.
- Review all business relationships to ensure that a BAA is in place where one is required under HIPAA. Providers and business associates may have relationships that did not previously require a BAA, but do now under the Omnibus Final Rule’s expansion of the definition of “business associate.”
Compliance with the requirements of HIPAA continues to be a challenge for providers of health care services as covered entities, including dialysis centers and nephrology practices. The need for compliance, however, should be a high priority for your business. HIPAA enforcement activity is on the rise and large providers, as well as many small providers, are being found out of compliance with the HIPAA requirements and fined. This heightened scrutiny demands that health care providers comply on a timely basis with the Omnibus Final Rule.