Final Omnibus Rule: Managing Business Associate Agreements (BAAs) Within a Contract Database

Share Article

MediTract is helping our clients to better manage the complexities and mitigate the risks arising from the HIPAA Final Omnibus Rule through reporting, notifications and more detailed documentation.

September 23, 2013 marks the effective date when healthcare organizations, Covered Entities (CEs) and Business Associates (BAs) must be in compliance with the HIPAA Final Omnibus Rule.

A number of the modifications to the HIPAA Privacy, Security and Enforcement Rules are requiring organizations to more comprehensively document their adherence with the final rule within their contractual practices.

Some of the largest changes that affect the way an organization manages BAA’s within their contract database are:

  •     Expansion of the definition of Business Associates to include subcontractors of other business associates, patient safety organizations, health information exchanges and certain personal health vendors
  •     Business Associates are now required to have BAAs with their sub-contractors that handle Protected Health Information. Documentation of these documents is a key component of an organization’s risk management efforts.
  •     Business Associates have direct liability under the HIPAA security rule and certain provisions of the HIPAA Privacy Rule, including improper uses and disclosures
  •     Create an electronic inventory of Business Associate Agreements. Sort by date in which they need to have an updated BAA
  •     Significant changes in the documentation requirements related to Patient’s Rights included within a Covered Entity’s Notice of Privacy Practices

BAAs are traditionally stored along with their corresponding contracts within the MediTract database. They can be individually managed with their own effective/expiration dates, notifications and alerts and can be reported upon globally. “With direct liability now being placed on Business Associates of Covered Entities, we are seeing an uptick in activity related to BAA documentation,” said George Brown, President of MediTract, Inc.

Most of the activity within the databases has come from clients performing “audit” reports; looking across all of their BAAs to see which ones might be most likely at risk of being out of compliance. With the liability being extended to sub-contractors, many clients are reviewing both the original contract as well as BAAs to best mitigate the risk. “While our clients have always managed their BAAs within their MediTract database, there has been a major push to reinforce the day-to-day processes and reporting since the final rule came out in March,” said Brown.

To learn more about how to review BAAs within your MediTract Contract Database please contact Josh Troop at: 877-492-8490 or visit us on the web at:

About MediTract, Inc.
MediTract, through its product MediTract, provides to the healthcare community knowledge, service and technology to assist in the management of contracts and other critical business documents in support of their compliance programs. MediTract services and products are utilized in nearly 1,600 hospitals across the U.S. in settings ranging from Critical Access to Enterprise Healthcare Systems. While regulatory compliance is the underlying motivation for adoption, the successful implementation and support of our clients’ initiatives are what sustains our business.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Visit website