HIPAA Omnibus rule

This rule, issued in 2013 makes business associates of covered entities directly liable for compliance with certain parts of the HIPAA Privacy and Security Rules’ requirements.

“Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates; requiring HIPAA covered entities and business associates to provide for notification of breaches of ‘‘unsecured protected health information’’;

“…it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information…”