The final HIPAA Omnibus Rule is slated to go into effect later this year. How should we rework our business associate contracts? If a business associate finds itself in hot water for a HIPAA compliance violation, we don’t want to be dragged along with it.

The HIPAA Omnibus Rule 2013 went into effect in March, but organizations have until Sept. 23, 2013, to become compliant. It introduces a new set of requirements for organizations that handle protected health information (PHI) on behalf of HIPAA-covered entities. As in the past, these organizations, known as business associates, must sign HIPAA business associate agreements (BAAs) that require them to apply appropriate privacy and security controls to the information that they handle on behalf of the covered entity.

The Omnibus Rule makes several changes to existing regulations, and every covered entity should review its BAAs to ensure that they include two important elements. First, the BAA must clearly state that, if the covered entity is delegating any of its responsibilities under the Privacy Rule to the business associate, the BAA must require the business associate to comply with the Privacy Rule in the same manner as it would apply to the covered entity. Second, the regulations now clearly state that business associates are directly subject to the HIPAA Security Rule, and the BAA should be updated to reflect this fact.

The second major change applies directly to business associates by extending the HIPAA umbrella to any organization that the business associate uses as a subcontractor to perform HIPAA responsibilities or handle PHI. Under the new provisions of the rule, HIPAA responsibilities now follow the data wherever it goes and requires that organizations have formal BAAs in place to document this chain of protection.

In your question, you asked about liability for a breach. The terms of BAAs typically include a liability clause that requires the business partner to accept liability for the consequences of any security breach that occurs within their scope of responsibility. This is why it is in your best interest (and indeed your obligation under the new rules) to ensure that you have appropriate BAAs in place with your business partners and that you keep them updated to reflect changes in the regulations and your business processes.