The upcoming HIPAA Omnibus Rule is poised to transform an already challenging privacy and security landscape for business associates or those who provide services to HIPAA “covered entities.” The HITECH Act has already imposed greater compliance responsibility on business associates and their subcontractors. The rules are set to change further and failure to comply can result in compliance reviews, investigations, seven figure financial penalties, and other sanctions. In fact, the Office for Civil Rights, the agency responsible for HIPAA enforcement, recently announced concerns regarding business associate HIPAA compliance and plans to target business associates in upcoming audits.
If this is not enough to keep your privacy officer and security officers busy, there are overlapping, and continually evolving, state data security laws that must be evaluated along with HIPAA in order to ensure full compliance with privacy and security requirements. It is critical to protect your organization on all fronts with respect to these laws.