On March 23, the new HIPAA Omnibus Rules take effect, starting a 180-day count-down to compliance enforcement against Business Associates, including IT companies, EMR vendors, shredding companies, collection agencies, revenue cycle management vendors, lawyers, accountants, and many other businesses that come in contact with patient data.

Some of the largest breaches reported to the US Department of Health and Human Services (HHS) have involved Business Associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

In November, 2012, a large data breach was caused by a Business Associate, which had downloaded data from three health care institutions. In spite of a contract stating that all patient data would be stored on encrypted devices, an employee downloaded 68,000 patient records to an unencrypted laptop, which was then stolen. 

Covered Entity Management

One area of concern is that many companies are not aware they are Business Associates, because health care providers often do not have them sign the required Business Associates Agreement. If you are a HIPAA Covered Entity, including medical practices, hospitals, clinics, insurance companies, billing companies, etc., NOW is the time to verify that you have properly identified your Business Associates, have them sign Business Associate Agreements (new versions since 2009 when the HITECH Act changed the requirements,) and make sure they know they must establish compliance programs so they can continue to work with you.

Examples of Business Associates

From the US Department of Health and Human Services

  • A third party administrator that assists a health plan with claims processing. 
  • A CPA firm whose accounting services to a health care provider involve access to protected health information. 
  • An attorney whose legal services to a health plan involve access to protected health information. 
  • A consultant that performs utilization reviews for a hospital. 
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. 
  • An independent medical transcriptionist that provides transcription services to a physician. 
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.  


  • An IT support organization that sees patient data while helping clients, or offers data backup or server management services
  • An Electronic Medical Records company that accesses patient data or converts data files
  • A company that shreds paper records
  • Any other vendor or partner who regularly comes in contact with Protected Health Information

You can get more information about Business Associates here.


“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

In a 2012 interview, Rodriguez said that his office would begin enforcing Business Associate compliance 180 days after the rule becomes effective —September 23, 2013.

What Business Associates Should Do

  1. Get someone trained on HIPAA to take the compliance lead in your organization. Training is available from EMRapproved.
  2. Implement written policies to comply with the HIPAA Security Rule.
  3. Document procedures to show how your organization will comply with each policy.
  4. Create workflow templates for tasks that involve patient data – transporting devices, replacing hard drives, upgrading computers, backing up data, etc. – that show what you are doing to prevent a breach from occurring.
  5. Train your workforce to treat patient data like electricity-  you don’t have to be fearful, but you should respect the data and not let your guard down.
  6. Just doing the right thing is not enough. You need to document it. Use the features of your ticketing system to document your compliance tasks. For example, if a hard drive containing patient data is to be discarded, attach a report that shows the drive had the data completely wiped according to government standards, and attach a photo if you physically destroy a drive before it goes to a recycling company.
  7. If you need help developing a program, or auditing your compliance efforts, Semel Consulting can help. More info at www.semelconsulting.com