The HIPAA Omnibus Rule was established to identify and further outline accountability within the entities of healthcare regarding patient data. To understand the HIPAA Omnibus Rule and how it affects these entities, we need to understand who and what are the “moving parts” that make up the operation. Once we recap these key components, we’ll summarize how they play into the Omnibus Rule.
Covered Entity (CE)
A covered entity is an individual, organization, or agency that falls under HIPAA guidelines. The HIPAA rules apply to them to protect the privacy and security of health information.
A covered entity is one of the following:
- Health Plan
- Health Care Clearinghouse
- Health Care Provider
If you aren’t sure if you are a covered entity, you can use this tool from the Centers for Medicare and Medicaid Services to find out.
Business Associate (BA)
A business associate engages with the covered entity to assist in carrying out the activities and functions of their healthcare business. This might be a collections agency, a law firm, a billing company, or even an answering service. There are many different examples of what a business associate is, and if you are not sure whether your business is identified as one, HIPAA Secure Now can help.
Protected Health Information (PHI)
Health data that the covered entity and their business associates create, receive, store, and transmit is PHI. There are 18 PHI identifiers that the Department of Health and Human Services (HHS) has outlined for reference.
Business Associates Contract or Business Associates Agreement
Covered entities MUST have a written agreement with their business associates. This contract ensures that the PHI will be appropriately safeguarded per HIPAA guidelines. If you aren’t sure what this should look like, there are examples online.
How the Omnibus Rule Factors In
The Omnibus Rule places the same compliance requirements of the HIPAA Security Rule on the business associates that are applicable to the covered entity. Additionally, there are guidelines from the HIPAA Privacy Rule that must be adhered to by the covered entity as well. For example, a BA must report to the covered entity any breach or security incident when they become aware of it.
This article was originally published on HIPAA Secure Now! and is republished here with permission.