Business Associate Obligations and Agreements: Aftermath of the HIPAA Omnibus Rule is brought to you by Lorman
Understand how to implement a proper business associate agreement (BAA) and the obligations and responsibilities under HIPAA since the Omnibus Rule.
Nearly a decade ago, the Department of Health and Human Services (HHS) issued a final rule to implement some of the statutory amendments to the Health Insurance Portability and Accountability Act of 1996 and its accompanying regulations (collectively, HIPAA). This final rule known as the ‘omnibus final rule’ took effect in March of 2013, and among other things clarified the direct liability that business associates have under HIPAA. There still is some confusion over who are and who are not considered to be business associates under HIPAA. Business associates are a wide and broad group of vendors, service providers and others who perform services by and on behalf of entities covered by HIPAA directly (‘covered entities’ in HIPAA refers to health care providers, health plans and health care clearinghouses) and in so doing must use or disclose patients’ nonpublic individually identifiable health information. When the omnibus rule took effect, HHS estimated that as many as half a million separate entities were business associates and would be affected by the omnibus rule – before giving consideration to any other or further vendors or service providers doing work for those business associates. Come prepared to explore what has happened in the nearly ten years since the omnibus final rule took effect.
