Home » News » Currently Reading:

Last Minute Preparation Tips for the HIPAA Omnibus Deadline

September 17, 2014 News No Comments

“You may delay, but time will not.”
― Benjamin Franklin

This famous quote reminds us that another HIPAA Omnibus deadline is fast approaching. Covered entities (CEs) and Business Associates (BAs) that did not update their Business Associate Agreements (BAAs) in 2013 must do so by Monday, September 22, 2014. There’s no more wiggle room for delay. The final deadline is here.

What You’ll Need
Practices, clinics, and other CEs are responsible for auditing all their BAs and subcontractors, and for ensuring receipt of an updated BAA. The modified BAAs must state, in writing, that the BA has achieved the following:

  • Full compliance with the HIPAA Security Rule.
  • Execution of BAAs with any of their subcontractors that create, receive, maintain, or transmit protected health information on behalf of the BA.
  • Reporting of all security incidents, including breaches of unsecured health information.
  • Full compliance with the Privacy Rule requirements applicable to covered entities if and to the extent the BA is to carry out a CE’s obligations under the Privacy Rule.

A more detailed checklist for BAA compliance is here.

Know the Gotchas
While many BAs and subcontractors will confess to HIPAA compliance, they must put it in writing by September 22. This may include such business partners as cloud storage companies, EHR vendors, PM software firms, coding and billing services, and release of information processors. Even copy services and testing modalities must update their BAAs and their subcontractor BAAs — if they haven’t already done so.

CEs should verify that they’ve identified each BAA and subcontractor by conducting a thorough self-audit of their practices — logging every device that captures, stores or submits PHI. Even C-arms can store and submit data. Create an inventory of all systems and equipment to identify gaps in BAA documentation.

Four Basic Steps
Beyond updated BAAs, there are four basic ways practices and clinics can protect the privacy and security of their patients:

  • Establish a solid privacy and security program for PHI.
  • Document your program within strong HIPAA policies and procedures that are reviewed and updated at least annually.
  • Ensure staff receives initial and ongoing education regarding HIPAA and your overall privacy and security program with documentation of their attendance and any disciplinary actions.
  • Define steps to react quickly if a breach occurs — including investigation of the event, mitigation of potential harm, and notification of patients.

The HIPAA Omnibus rule changed your BAA requirements. Under the rule, all BAs and subcontractors are now also liable for breach penalties and fines. You’re no longer alone – but you’re also responsible.


Alisha R. Smith, RHIA is the Health Information Management Compliance Educator for HealthPort Corp. of Alpharetta, Georgia. 


Mr. H, Lorre, Jennifer, Dr. Jayne, Dr. Gregg, Lt. Dan, Dr. Travis

More news: HIStalk, HIStalk Connect.

Get HIStalk Practice  updates.
Contact us online.


Leave a comment



This site uses Akismet to reduce spam. Learn how your comment data is processed.

Platinum Sponsors




Gold Sponsors


Subscribe to Updates

Search All HIStalk Sites

Recent Comments

  1. Re: Walmart Health: Just had a great dental visit this morning, which was preceded by helpful reminders from Epic, and…

  2. NextGen announcement on Rusty makes me wonder why he was asked to leave abruptly. Knowing him, I can think of…

  3. "New Haven, CT-based medical billing and patient communications startup Inbox Health..." What you're literally saying here is that the firm…

  4. RE: Josephine County Public Health department in Oregon administer COVID-19 vaccines to fellow stranded motorists. "Hey, you guys over there…

  5. United is regularly referred to as "The Evil Empire" in the independent pediatric space (where I live). They are the…