The six-month grace period is over and today is the day that healthcare entities must be in compliance with the new provisions of the Health Insurance Portability and Accountability Act (HIPAA), known as the Omnibus Rule. In this podcast, Healthcare Informatics Associate Editor Gabriel Perna speaks with Joseph Kirkpatrick, managing partner at KirkpatrickPrice, an independent audit firm that works with healthcare providers and vendors, about these new rules and how healthcare entities must go about dealing with them.
Kirkpatrick talks about some of the elements of Omnibus which directly impact healthcare providers, such as changes to how they can use patient information for marketing purposes and the increased clarification on breach notification. However, the most prominent change coming from Omnibus, according to Kirkpatrick, is the relationship providers have with their business associates.
“In the past, healthcare organizations would outsource certain functions to third-parties and they would require them to sign business associate agreements. But now that there are more stringent requirements being placed on business associates, I think that healthcare providers should be looking at their contracts, looking at those agreements, and trying to determine should we more specific with what we are asking them to sign contractually that they will do, when protecting patient information,” Kirkpatrick said to Perna.
Kirkpatrick talks about the potential mess providers would have on their hands if they don’t comply with these new business associate rules. He said the term “willful neglect” could apply to them, and they could be levied large HIPAA fines as a result.
What’s important for healthcare organizations to do, Kirkpatrick said, is to make a list of their current business associates, ensure they have an updated agreement, and also, rank those associates in terms of risk.
Below is even more coverage from Healthcare Informatics on the HIPAA Omnibus Rule: