The HIPAA Omnibus Final Rule is now in effect and audits will continue in 2014. The Department of Health and Human Services’ Office for Civil Rights has stated several times that both Covered Entities and Business Associates will be audited.  And the scope of Business Associates has greatly expanded.  I wrote another blog directed towards these new Business Associates.  This final blog of this series focuses on covered entities that work with business associates.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

The HIPAA Omnibus Final Rule changed the Business Associate definition, and also makes Business Associates obligated to comply with HIPAA.  You most likely will have more business associates than previously, and those business associates that have access to your network and/or your PHI data are obligated to be HIPAA compliant.    The Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy and Data Security (December 2012), reveals that 42% of the breaches involved a third party “snafu”.


Although the business associate would ultimately be responsible for a breach or theft of PHI caused by them, it is your patients and clients that will suffer, along with your reputation.

While your business associates are on your network, how do you know what they are doing?  Do you have tracking, logging, and access controls in place so that they can only access the information their job function requires and not other data?  Can you track the ‘when, where, what, who and how’ as it pertains to your business associates and your ePHI?

The Final Rule requires that you either create or update your business associate agreements with each business associate.  If you have business associate agreements that existed prior to January 25, 2013, you have until September 22, 2014 to update them.  However, if you renewed or modified that agreement between March 26, 2013 and September 23 2013, you should have brought it into compliance at that time.

Recommendation: Identify which partners and vendors are now considered Business Associates. Include those relationships as part of your Risk Assessment, and include any network connections to those entities as part of your network risk assessment.

Cisco’s Compliance Solutions teams focus on helping customers simplify meeting mandated compliance requirements. To learn more about Cisco® compliance solutions, please visit http://www.cisco.com/go/compliance


Terri Quinn

Security Solutions Manager

Security Technology Group