For some, the new HIPAA Omnibus Regulations provoke a sense of dread at the increased penalties and red tape. But taken in total, these regulations will strengthen the relationship between healthcare providers and their business associates.
The new regulations have been in the works for almost three years were made final last week. There are few surprises amid the 573-page document as many of the regulations were proposed long ago.
One of the most positive aspects to the new regulations is that they clarify and specify the legal relationship between providers and their partners, such as collection agencies, that manage patient information. While the new HIPAA regulations don’t let providers off the hook for transgressions by business associates, they do hold business associates accountable for protecting patient privacy to almost the same standard as providers.
One area in particular where regulatory jurisdiction now will be fully exercised is subcontractors to business associates. The very same protections that must be in agreements that providers are required to have with their business associates must be in place between business associates and subcontractors who comes in contact with patient information.
Providers, fortunately, will not be required to negotiate business associate agreements with their partners’ subcontractors — that is solely the responsibility of the business associate.
These agreements between business associates and their subcontractors finally give providers some confidence that their partners will not be able perform an end-around to restrictions regarding patient data by transferring work to subcontractors. Subcontractors must be bound by the same restrictions as the business associates, or the business associate can face civil penalties up to $1.5 million per year.
Healthcare providers do need to realize that this protection now cuts both ways. If, for example, a provider hires an outside company to manage some part of its revenue cycle and the contractor fails to fulfill certain regulatory responsibilities under HIPAA, such as publishing a privacy notification in a timely manner, the provider is still liable under HIPAA.
Most of the new regulations become effective on March 26, 2013. But this is not necessarily the case with the required changes to business associate agreements. New agreements, thanks to the HIPAA Omnibus regulations, may potentially require numerous amendments, if not outright redrafting. These negotiations can be time-consuming and burdensome for both the provider and partner.
To provide breathing room, the new regulations state that existing business associate agreements are valid and providers have up to a year to update them to reflect the new regulations. However, for those agreements set to expire, the new agreements will need to be brought into compliance with the new regulations.
The long wait for the new HIPAA Omnibus Regulations is now over. And the final regulations are not all bad news. While it will never again be “business as usual,” we all now know what we are supposed to do. Let’s roll up our sleeves and get to work.