[ Sunday, January 20, 2013 ]
Nugget 2(a) (OK, I know these are out of order, but this really expand on nugget 2): Subcontractors are now "business associates" for purposes of complying with the Security Rule. Under HITECH, business associates must do all the things a covered entity has to do under the Security Rule. Under the Omnibus Rule, subcontractors also must do all of these things. That means that anyone who touches PHI that originated with a covered entity must (i) do a risk analysis and (ii) adopt a full set of policies and procedures that implement the technical, physical, and administrative requirements and implementation specifications in45 CFR 164.300 et seq. Many, many covered entities have been derelict in doing this; most medium to small BAs haven't done this to the extent required; I'd guess very few second and third tier subcontractors have done this.
Jeff [3:35 PM]
GET TO WORK! This is probably the biggest, costliest component of the Omnibus Rule. Needs to be done, and is a good idea, but has been under the radar since 2005.
Blogger: HIPAA Blog - Edit your Template