The Omnibus Rule modified the Privacy and Security Rules to reflect the PHI protection required in the digital age:
Business Associate Liability
- Business associates of covered entities are directly liable for compliance with certain HIPAA Privacy and Security Rules’ requirements.
- Business associate subcontractors are liable and must agree to the same restrictions and conditions that apply to the business associate if the subcontractor creates or receives PHI.
- A subcontractor may not use PHI in any way that is not permitted by the business associate agreement (BAA) between the primary business associate and the covered entity.
- The BAA between the business associate and the subcontractor must be at least as stringent as the BAA between the covered entity and the business associate.
- Strengthening of limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes.
- Physical, administrative, and technical safeguards for both Rules are required.
- Safeguards are required to be incorporated by covered entities and business associates.
- Safeguards extend to the subcontractor level.
