On September 23rd, 2013 the HIPAA OMNIBUS Rule went into full effect assigning further responsibility for the safety and security of PHI, ePHI, PII and ePII and reaching further than ever before. Being identified as a Business Associate (BA), or having to identify Business Associates and ensuring their compliance has now become a major priority for many organizations. Recently even Google agreed to start signing BA Agreements with organizations which require them.
One of the hot topics that we are constantly running into is how to identify Business Associates in relation to your Organization. We have authored a document found here that will help with that. By simply applying this checklist to each and every business that your organization deals with, you will be able to quickly identify who will require a BA Agreement (BAA) and who will not.
If your organization works with PII or PHI in the physical or digital format it is of the utmost importance that you evaluate each and every one of your BA’s that receives, transmits or stores this information to evaluate whether a BA Agreement is required as part of your HIPAA compliance program. The Office of Civil Rights announced this year that they would be making the auditing of HIPAA Covered Entities and Business Associates a standard practice beginning next year. (Update: See April 2014 Article: Ready for Your HIPAA Compliance Audit?)