Dive Brief:
- Providers are facing a critical final deadline for the HIPAA Omnibus rule this month, under which they must make sure business associate agreements are revised and ready.
- The revisions to BAAs are critical because under the new rule, business associates and subcontractors working with covered entities are now required to ensure the privacy and security of personal health information.
- Experts warn that in finalizing these agreements, providers must be sure the risk is allocated properly among parties. They must also be sure to understand where their data may go once it's handed off to BAs or contractors, including whether it's offshore.
Dive Insight:
Generally speaking, it seems that a good thing that business associates and contractors are held liable for mistakes they make with data. After all, how often do we read about a data breach within a provider organization that was caused by, say, the loss of a laptop by a business associate or subcontractor? Clearly, there need to be safeguards here which don't seem to exist today. If that causes a shakeout in the business associate world, so be it.
That being said, running down the ways in which BAs and subcontractors transport and use data is likely to prove an absolute nightmare for large organizations with hundreds of partners. While providers have had a year to revise BAAs, it's likely that an organization the size of an medium-sized health system could spend several years on the task of running down the PHI-handling practices of every associate. While this step may be necessary, it's definitely onerous too.
Want to read more? You may enjoy this story on 4 ways providers can avoid data breaches.