Think of it as a chain of responsibility and legal liability that just got a whole lot longer.
Not just business associates to healthcare providers and other HIPAA-covered entities, but also the subcontractors those business associates hire, if they routinely handle patient data, they are all now obliged to protect patient medical records or be subject to enhanced penalties for federal privacy and security law violations under the newly released update to the Health Insurance Portability and Accountability Act's privacy and security rule.
The driving force behind the 563 pages of the “omnibus” privacy and security rule released Thursday was the more stringent privacy and security provisions Congress wrote into some provisions of the American Recovery and Reinvestment Act in 2009.
The long-awaited rule had been in regulatory purgatory, locked up by the Office of Management and Budget since March.