The 2014 OCR audit is just around the corner, and you should know where you stand with HIPAA. New changes strike up confusion for many companies and what changes need to be made. One specific update is affecting more organizations than thought, whether you’re a business associate or not.
Business associates or BAs, now have a wide range of organizations that fall under their category, health care providers happen to be one. Organizations who deal with disclosed protected health information, PHI, are considered BAs under the new HIPAA compliance. Business associates are now required to make business associates agreements, report breaches of information and any other violation. The liability side of BAs includes, being responsible for any non-compliance, subject to audit, investigation and enforcement.
The new HIPAA compliance mandates new requirements for subcontractors, downstream employees for BAs. A subcontractor is someone who helps a BA with a client by taking on their case, but gaining access to PHI for cases. In the past, subcontractors were not responsible or held liable for PHI like a Business Associate is. Subcontractors could breach information and the BA would be responsible for non-compliance to HIPAA. The change, which will protect new Business Associate’s is that subcontractors are now liable for any requirement not met or rule broken and will be penalized as well. Business associates are still responsible for any subcontractors because the BA hired them for the job.
Business associates has also been defined to extend to cloud service providers. A cloud service provider is a company that manages cloud storage of information online. Business Associate’s use this to store data or information that others like subcontractors, can go in and use the data on the cloud. Although, the cloud service providers may never view the PHI in it’s cloud, they are now considered another Business Associate. In these transactions, cloud service providers are storing or holding the PHI, which could allow them access to reading it.
Due to all the changes with HIPAA, penalties have increased. The new guidelines for BAs and subcontractors make more people liable for more things. The idea behind this was due to the un-willingness to abide by previous requirements, upping the penalties and increasing the number of those associated will decrease the amount of information breached.