02-06-13 | Blog Post

Final HIPAA Omnibus Rule: Business Associate Agreements & Roadmap to Compliance

Blog Posts

In addition to redefining business associates (BAs) and including subcontractors in the scope of liability, the final HIPAA omnibus rule has prompted the release of a new sample business associate agreement by the Dept. of Health and Human Services (HHS).

What does this mean for covered entities and business associates alike? Depending on where you are in the compliance process, It’s time to either update or draft a new contract and resign with your current vendors. Or, it could be time to search for a new hosting provider if your current HIPAA hosting provider isn’t able to sign a business associate agreement or meet HIPAA compliance.

Business Associate Agreements

According to the HHS, the contractual terms listed in the business associate agreement must include:

  • Establish permitted/required uses and disclosures of protected health information (PHI) by the BA
  • Provide that the BA will not use or disclose information other than as permitted, or required by the contract, or required by law

Require BAs to:

  • Implement safeguards to prevent unauthorized use/disclosure of information (including the HIPAA Security Rule requirements for securing electronic protected health information (ePHI)).
  • Report any PHI breaches (use or disclosure) not provided for in their contract, including breaches of unsecured PHI
  • Disclose PHI in order to allow CEs to abide by their obligation to fulfill patients’ requests for copies of their PHI, as well as make PHI available for amendments and accountings
  • Carry out a CE’s obligations as applicable to their contract
  • Make available its internal practices, books and records related to the use/disclosure of PHI for the purposes of confirming the CE’s compliance with the HIPAA Security Rule
  • At contract termination, return or destroy all PHI  from the CE
  • Ensure that any of their subcontractors with access to PHI also agree to the same restrictions/conditions that apply to BAs
  • Allow CEs to terminate their contracts with BAs if the BA violates a material term of the contract (same goes for contracts between BAs and subcontractors)

Review the sample business associate agreement provided by the HHS here.

Roadmap to Achieving HIPAA Compliance

For those that haven’t started on the road to compliance yet, you may be wondering where exactly to start. As I wrote about last February in Business Associates Must Be HIPAA Compliant By March 2012, this may help you figure out how to be HIPAA compliant:

  1. Conduct and document an initial risk assessment/analysis in order to check where your business is at when it comes to implementing HIPAA security safeguards, and where you need to fill in the gaps. This list of the Nine Components of a HIPAA Risk Analysis provides a good high-level overview of what you need to include in your document.
  2. Research and understand the HIPAA standards, and your role in handling PHI. As a HIPAA compliant hosting provider, Online Tech never accesses PHI or data on clients’ servers, we only provide the secure infrastructure necessary to protect sensitive information in a fully compliant environment.
  3. Draft a business associate agreement (BAA) that clearly defines your role and obligation in handling a client’s sensitive data. Include clauses about contract termination, data ownership and breach notification.
  4. Ideally, invest in an independent HIPAA audit of your business against the OCR HIPAA Audit Protocol in order to have the assurance and verification that your policies, procedures and services are in compliance. If you need guidance on which IT components can help you achieve compliance, read our HIPAA FAQ.
  5. Train all of your employees in HIPAA compliant policies and procedures as they affect the day-to-day operations of your company and according to the level of security needed by position – an employee that transports sensitive data will need more specific guidelines to stay compliant and prevent a data breach. Document proof of employee training and awareness, and update it every year.
  6. Appoint a Risk Management and Security Officer position in your company to implement, manage and oversee compliance and ensure everyone is following the documented policies and procedures, preferably someone with a strong technical background.

If you want to learn more about how the final HIPAA omnibus rules affect business associates,  covered entities and subcontractors, watch a recently recorded webinar with Attorney Brian Balow of Dickinson Wright, No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules.

Our other articles about how the final omnibus rule affects HIPAA cloud hosting providers and the HIPAA hosting market in general may also be of interest:

How the Final Omnibus Rule Affects HIPAA Cloud Computing Providers
The long-awaited final modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules were introduced Thursday. The 563-word document outlines the changes that were initially slated for implementation last summer (remember the omnibus rule?). So how do these modifications affect … Continue reading →

HIPAA Omnibus Rule Narrows the HIPAA Hosting Market
The final HIPAA omnibus rule released late last week holds business associates (BAs) and subcontractors (the BA of a business associate) directly liable for compliance with the HIPAA rules, and sets a deadline for compliance with the new modifications. There’s … Continue reading →


HIPAA Compliant Data CentersNeed help achieving compliance? Learn about the specific HIPAA requirements for HIPAA hosting with IT vendors with our HIPAA Compliant Hosting white paper. With 36 pages of statistics, diagrams and researched information sourced from engineers and a CHSS (Certified HIPAA Security Specialist), this white paper is your complete guide to HIPAA hosting.

Still have questions? Contact us or chat now. Learn more about our HIPAA hosting solutions, including cloud, colocation, managed servers and disaster recovery. Or, submit a quote request today.

In addition to redefining business associates (BAs) and including subcontractors in the scope of liability, the final HIPAA omnibus rule has prompted the release of a new sample business associate agreement by the Dept. of Health and Human Services (HHS).

What does this mean for covered entities and business associates alike? Depending on where you are in the compliance process, It’s time to either update or draft a new contract and resign with your current vendors. Or, it could be time to search for a new hosting provider if your current HIPAA hosting provider isn’t able to sign a business associate agreement or meet HIPAA compliance.

Business Associate Agreements

According to the HHS, the contractual terms listed in the business associate agreement must include:

  • Establish permitted/required uses and disclosures of protected health information (PHI) by the BA
  • Provide that the BA will not use or disclose information other than as permitted, or required by the contract, or required by law

Require BAs to:

  • Implement safeguards to prevent unauthorized use/disclosure of information (including the HIPAA Security Rule requirements for securing electronic protected health information (ePHI)).
  • Report any PHI breaches (use or disclosure) not provided for in their contract, including breaches of unsecured PHI
  • Disclose PHI in order to allow CEs to abide by their obligation to fulfill patients’ requests for copies of their PHI, as well as make PHI available for amendments and accountings
  • Carry out a CE’s obligations as applicable to their contract
  • Make available its internal practices, books and records related to the use/disclosure of PHI for the purposes of confirming the CE’s compliance with the HIPAA Security Rule
  • At contract termination, return or destroy all PHI  from the CE
  • Ensure that any of their subcontractors with access to PHI also agree to the same restrictions/conditions that apply to BAs
  • Allow CEs to terminate their contracts with BAs if the BA violates a material term of the contract (same goes for contracts between BAs and subcontractors)

Review the sample business associate agreement provided by the HHS here.

Roadmap to Achieving HIPAA Compliance

For those that haven’t started on the road to compliance yet, you may be wondering where exactly to start. As I wrote about last February in Business Associates Must Be HIPAA Compliant By March 2012, this may help you figure out how to be HIPAA compliant:

  1. Conduct and document an initial risk assessment/analysis in order to check where your business is at when it comes to implementing HIPAA security safeguards, and where you need to fill in the gaps. This list of the Nine Components of a HIPAA Risk Analysis provides a good high-level overview of what you need to include in your document.
  2. Research and understand the HIPAA standards, and your role in handling PHI. As a HIPAA compliant hosting provider, Online Tech never accesses PHI or data on clients’ servers, we only provide the secure infrastructure necessary to protect sensitive information in a fully compliant environment.
  3. Draft a business associate agreement (BAA) that clearly defines your role and obligation in handling a client’s sensitive data. Include clauses about contract termination, data ownership and breach notification.
  4. Ideally, invest in an independent HIPAA audit of your business against the OCR HIPAA Audit Protocol in order to have the assurance and verification that your policies, procedures and services are in compliance. If you need guidance on which IT components can help you achieve compliance, read our HIPAA FAQ.
  5. Train all of your employees in HIPAA compliant policies and procedures as they affect the day-to-day operations of your company and according to the level of security needed by position – an employee that transports sensitive data will need more specific guidelines to stay compliant and prevent a data breach. Document proof of employee training and awareness, and update it every year.
  6. Appoint a Risk Management and Security Officer position in your company to implement, manage and oversee compliance and ensure everyone is following the documented policies and procedures, preferably someone with a strong technical background.

If you want to learn more about how the final HIPAA omnibus rules affect business associates,  covered entities and subcontractors, watch a recently recorded webinar with Attorney Brian Balow of Dickinson Wright, No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules.

Our other articles about how the final omnibus rule affects HIPAA cloud hosting providers and the HIPAA hosting market in general may also be of interest:

How the Final Omnibus Rule Affects HIPAA Cloud Computing Providers
The long-awaited final modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules were introduced Thursday. The 563-word document outlines the changes that were initially slated for implementation last summer (remember the omnibus rule?). So how do these modifications affect … Continue reading →

HIPAA Omnibus Rule Narrows the HIPAA Hosting Market
The final HIPAA omnibus rule released late last week holds business associates (BAs) and subcontractors (the BA of a business associate) directly liable for compliance with the HIPAA rules, and sets a deadline for compliance with the new modifications. There’s … Continue reading →


HIPAA Compliant Data CentersNeed help achieving compliance? Learn about the specific HIPAA requirements for HIPAA hosting with IT vendors with our HIPAA Compliant Hosting white paper. With 36 pages of statistics, diagrams and researched information sourced from engineers and a CHSS (Certified HIPAA Security Specialist), this white paper is your complete guide to HIPAA hosting.

Still have questions? Contact us! Learn more about our HIPAA hosting solutions, including cloud, colocation, disaster recovery and data protection.

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved