Complying with the Omnibus Rule


Healthcare Info Security recently featured Mac McMillan’s advice for business associates (BAs). McMillan first addresses that the recent Omnibus Rule defines BAs as “anyone who receives, creates, maintains or transmits protected health information on behalf of a covered entity” and that means BAs are now responsible to comply with the HIPAA Security Rule and several provisions in the HIPAA Privacy Rule. McMillan reminds us that BAs only have until September 23 to be prepared for enforcement.

McMillan advises that BAs should conduct a risk analysis under the HIPAA Security Rule. BAs need to conduct the analysis to identify issues in policies and procedures. Addressing the issues is a stride towards a successful and well-defined security program. He also suggests that educating and training staff on their responsibilities is also key to assuring an effective security program. McMillan provides insight that BAs can find guidance on how to conduct a risk analysis through Office for Civil Rights (OCR) website, as well as North Carolina Healthcare Information and Communications Alliance’s website.

Next, McMillan advises BAs to prepare for having to respond to breaches. Now under the Omnibus Rule BAs will have to notify their covered entity of any loss of personal health information (PHI). He points out that when a BA has an incident, they should consider the severity of the incident based upon what information was lost, who obtained/received the info and any other factors that could reduce the risk of compromise. They will need to analyze this info and document their decision of whether to notify or not.

To read the entire article visit Healthcare Info Security’s site.