Are Your Business Associates ready for the September 23 Deadline?

Are Your Business Associates ready for the September 23 Deadline?

Last week we asked you if your practice was ready for the September 23 Omnibus enforcement deadline. How about your Business Associates? Are they ready?

As the date approaches, an error that many business associates are making is thinking that compliance can be achieved with a simple checklist.

"One of the biggest mistakes is that business associates consider this as just another regulation, another checklist, and as a result, they think they can just whip something up overnight to satisfy compliance," says Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire.

The truth is that compliance with the HIPAA Omnibus Rule is not as easy as they may think and cannot be done overnight; it takes lots of planning and a lot of understanding of what the requirements are," he adds.

Even at this late date, manybusiness associates and subcontractors don't realize they must comply withHIPAAas a result of the Omnibus Rule. They may be "far removed" from the healthcare industry and lack understanding of the sensitive data they possess as a result of their relationships with covered entities, he says. "As a result they don't have knowledge about the regulations and they may not know how to interpret the regulations or implement the required controls," he says in an interview with Information Security Media Group.

In a recent survey of business associates, Coalfire found that only 40 percent were aware of their new responsibilities under the HIPAA Omnibus Rule. Even more worrisome is that less than half of the companies surveyed reported they believed they were in compliance.

At this point, one of the most important tasks that business associates need to accomplish is to understand where all the protected health information they have is stored, including databases, mobile devices, thumb drives and all possible places PHI might reside. Otherwise, the information cannot be protected.

"They should perform a risk analysis, which is the number one requirement of the HIPAA Security rule," Hicks adds. "This will allow them to identify where their gaps are in controls, where they're not compliant, where they have residual risks and to really identify a remediation roadmap for really gauging their compliance efforts moving forward."

If you or your organization needs help with assuring that your business associates or subcontractors are compliant please contact us and ask about our business associate audit products.