The Liability Chain in HIPAA Omnibus
The HIPAA Omnibus Rule creates a complex chain of compliance liability among covered entities and their business partners.
UnderÂ HIPAA Omnibus, covered entities, business associates and subcontractors can be held responsible for the compliance conduct of their â€śdownstreamâ€ť partners.
For example, a practice could be responsible for the conduct of a downstream business associate if the vendor qualifies as an â€śagentâ€ť of the practice.Â The term â€śagentâ€ť refers to vendors that have received certain instructions from the covered entity about how to perform various functions.
As a result, if there is aÂ breachÂ in which an â€śagentâ€ť such as a business associate is at fault, the practice could face civil penalties.
Vendors providing services to healthcare organizations need to take the initiative to carefully determine if they qualify as a business associate under the expanded definition in HIPAA Omnibus including health information organizations and e-prescribing gateways. If they donâ€™t know theyâ€™re a business associate, they might not be taking all the steps they need to comply. HIPAA Omnibus makes it clear that business associates and their subcontractors must comply with HIPAA provisions.