The HIPAA Omnibus Final Rule, released January 2013, greatly expands the number of organizations that must comply with HIPAA beyond the known ‘Covered Entities.’

The Final Rule expands the definition of a Business Associate to include an organization that ‘creates, receives, transmits or maintains’ PHI. Adding the term ‘maintains’ into the definition makes a big difference and will include a lot more businesses than before. The Department of Health and Human Services (HHS) estimates that 250,000 – 500,000 additional entities will be considered a Business Associate and therefore must comply with HIPAA.

Under the Final Rule, a Business Associate is defined as ‘a person or entity that performs certain functions or activities that involve the disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a covered entity.’  Under the Interim Rule, HHS allowed for two exceptions to the Business Associate definition – the conduit exception and the incidental exposure exception. Under the Final Rule, incidental exposure is no longer an exception, and the conduit exception is intended to only exclude those entities providing mere courier services, such as the U.S. Postal service, UPS, or their electronic equivalents, such as internet services providers (ISPs). This change may now include your business as a Business Associate under the Final Rule.

So, are you a Business Associate in this new HIPAA world? A few questions to ask yourself:

  • Do any of your employees, services, tools or functions have the opportunity to touch your customer’s PHI?  It doesn’t matter whether they need to use PHI or not, just that they could access it.
  • Does your customer’s PHI enter your organization at all?
  • Are you a subcontractor of a Covered Entity or a Business Associate?

If any of your answers is ‘Yes’ or ‘Maybe,’ you may be considered a Business Associate now and should check with your Legal department for more details and guidance.

As a Business Associate under the new law, you are directly liable for compliance to HIPAA Rules and subject to civil penalties for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule. The Final Rule was effective on March 26, 2013 with compliance to the new Rules by Sept 23, 2013. HHS expects that audits will start up again in late 2013 and continue into 2014. Now is the time to learn if HIPAA has entered your world.

For more information on the Cisco Compliance Solutions Framework, please go to http://www.cisco.com/go/compliance.


Terri Quinn

Security Solutions Manager

Security Technology Group