The Rheumatologist
COVID-19 NewsACR Convergence
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Axial Spondyloarthritis Resource Center
    • Gout Resource Center
    • Psoriatic Arthritis Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
    • Interprofessional Perspective
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Gout Resource Center
      • Axial Spondyloarthritis Resource Center
      • Psoriatic Arthritis
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / Omnibus Rule Compliance Deadline Imminent

Omnibus Rule Compliance Deadline Imminent

September 1, 2014 • By Steven M. Harris, Esq.

  • Tweet
  • Email
Print-Friendly Version / Save PDF

You Might Also Like
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
  • HHS Enforces Stricter Rules on HIPAA
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
Explore This Issue
September 2014
Also By This Author
  • Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online

The deadline for business associate agreements (BAAs) to be in compliance with the Omnibus Rule is Sept. 23, 2014. The Omnibus Rule was published in early 2013 by the U.S. Department of Health and Human Services, and it amended the Privacy, Security, Breach Notification and Enforcement Rules that were previously issued under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Omnibus Rule expanded those HIPAA obligations that business associates are subject to, as well as the requirements applicable to BAAs. Existing agreements must be amended to incorporate new standards.

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

Although most BAAs were required to comply with the Omnibus Rule by Sept. 23, 2013, there was an exception for those HIPAA-compliant BAAs in existence prior to Jan. 25, 2013, which extended the deadline by a year.

Negotiation Considerations

Under the Omnibus Rule, the stakes are higher for all parties in negotiating the terms of a BAA.

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE

Although BAAs are often similar, there is no standardized form. There can be significant differences, including the notice requirements, indemnification or damage limitations, and insurance requirements. It may seem that if you have seen several BAAs that you’ve seen them all, but the nuances in each agreement could have a significant impact down the road, so treat each one as a unique circumstance and worth reading carefully.

Whether you are a business associate, a covered entity or a contractor/vendor of a business associate, make certain that you review and are comfortable with the terms of any BAA you enter into and appreciate the differences between those provisions that are mandated by law and those for which there can be some flexibility to propose alternative language if it is less than favorable to you. As you review any BAA, also consider any underlying services agreement that exists because terms contained in that agreement could affect your rights and responsibilities under the agreement.

The issue of whether a particular arrangement triggers business associate status (and therefore the need for a BAA) can result in tension between parties. Such disputes are likely to arise with increasing frequency due to the expanded business associate obligations and potential liabilities under the HIPAA rules. Some covered entities are requiring all vendors to sign a BAA, rather than analyzing if a particular vendor qualifies as a business associate. If you have evaluated and confirmed that you are not a business associate in a particular circumstance, but are still asked to sign a BAA, it’s important to consider the impact of signing the agreement. If you are not a business associate and sign the agreement, you are now obligated to comply with the terms of the BAA and, in most cases through the agreement terms, the HIPAA rules in their entirety. As a covered entity, a healthcare provider that transmits any health information in electronic form would already be required to comply with the HIPAA rules. However, signing a BAA would typically require the business associate to comply with reporting and documentation obligations to the covered entity, which could be time consuming and costly.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

Review Existing Relationships

If you are a covered entity, this would be a good opportunity to take a fresh look at your contractor and vendor relationships to confirm that those functioning as business associates have in fact signed a HIPAA-compliant BAA. Entities that function as business associates should do the same. Further, parties to any contract or other arrangement involving protected health information (PHI) should review their arrangements to determine whether a business associate relationship has been or will be created.

Pages: 1 2 | Single Page

Filed Under: Legal, Legislation & Advocacy, Professional Topics Tagged With: business associate agreement, deadline, Harris, HIPAA, Legal, Legislation, Omnibus rule, Practice Management, rheumatologist, rheumatologyIssue: September 2014

You Might Also Like:
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
  • HHS Enforces Stricter Rules on HIPAA
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • HIPAA Security Standards: What Rheumatologists Need to Know

American College of Rheumatology

Visit the official website for the American College of Rheumatology.

Visit the ACR »

ACR Convergence

Don’t miss rheumatology’s premier scientific meeting for anyone involved in research or the delivery of rheumatologic care or services.

Visit the ACR Convergence site »

Meeting Abstracts

Browse and search abstracts from the ACR Convergence and ACR/ARP Annual Meetings going back to 2012.

Visit the Abstracts site »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use / Cookie Preferences

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2023 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)