Healthcare Business Associates Demonstrate Limited Understanding of
New HIPAA Omnibus Rule
Roughly one-third of the business associates interviewed said they
have been asked to sign a new Business Associate Agreement (BAA).
A majority of business associates reported being somewhat or
completely unaware of their new responsibilities under the final
More than half of business associates said they have assessed
compliance with the final Omnibus Rule.
Fewer than half of business associates report they are compliant with
the Omnibus Rule.
On the positive side, most business associates have a process in place
and are set up to report a data breach as required by the Omnibus Rule.
Covered entities and business associates in the healthcare industry have
until September 23, 2013 to become compliant with the final HIPAA
Omnibus Rule that took effect in March. Coalfire, an independent
information technology Governance, Risk and Compliance (IT GRC) firm,
today released findings from a survey that shows business associates
have limited understanding of their responsibilities under the new rule
and fewer than half are currently compliant.
While a majority of healthcare business associates said they have
assessed their compliance and have an incident response plan in place,
fewer than half reported they are currently compliant with the final
Omnibus Rule. This may be due to the lack of understanding of the new
regulation, as a majority of business associates said they were unaware
of their responsibilities under the new provisions. In addition, very
few admitted to signing a Business Associate Agreement (BAA), which is
required by the final Omnibus Rule.
“With the HIPAA Omnibus Rule's expanded definition of who's a business
associate, many vendors falling under the definition don't even realize
they are a business associate, so this represents much of the
confusion,” said Andrew Hicks, Healthcare Practice Lead at Coalfire.
“The Department of Health and Human Services will be actively monitoring
and enforcing the rule, so it’s imperative that business associates take
the time to educate themselves and their staff about the new
requirements in order to become compliant before the deadline.”
Professionals from a variety of organizations that serve the healthcare
industry took part in Coalfire’s survey. The findings are outlined below
along with recommended actions that business associates should take to
become compliant. You can find more information about Coalfire’s survey
and the final Omnibus Rule on The