Is your physician practice in HIPAA compliance with your business associates?


Under the HIPAA Omnibus Final Rule published last January, the deadline for compliance with the new HIPAA rules was essentially Sept. 23, 2013. However, there was an exception built in to the rule for physician practices and other covered entities (CEs). This exception stated that for CEs with vendor business associate agreements (BAAs) entered on or before Jan. 25, 2013, these BAAs must be brought into compliance with the Omnibus Rule by Sept. 23, 2014.

Here are three steps practices should take to comply with the requirements of this final Omnibus Rule:

Identify your business associates. A helpful tip on how to identify your practice's business associates: Pull up accounts payable to access your list of vendors. With this list in front of you, identify vendors that have access to your PHI. These vendors may include IT companies, transcription companies, coding and billing companies, consultants, collection agencies, and shredding companies.Note: Under the Omnibus Rule, the definition of business associated was reworded. A business associate now includes any vendor that creates, receives, maintains, or transmits PHI on behalf of a CE — even those that do not access PHI. Business associates can now include organizations involved in patient safety activities, health information organizations, and PHI data storage companies.

Review and collect Business Associate Agreements. Once you have identified which vendors qualify as business associates, you should review the latest BAA they signed with your practice. If the most current BAA you have on file with a vendor is signed on or before Jan. 25, 2013, you should immediately amend or replace this BAA and have a vendor sign a new BAA that complies with Omnibus Rule requirements.

Lastly, audit your business associates. If your practice delegates duties to a vendor, a practice has a responsibility to confirm — to the best of its ability — the business is handling those duties in conformity with HIPAA rules. This can be accomplished through an auditing process in which your practice asks business associate representatives a number of questions and then assesses the answers.

Have questions? I’m here to help.