HIPAA security rules now apply to business associates, including vendors, and assume that health care entities perform due diligence before contracting and monitoring throughout the contract, writes CynergisTek CEO Michael McMillan. The Omnibus Rule lifts constraints on the ability of the Office for Civil Rights to assess formal penalties and gives the Office for Civil Rights greater latitude in determining financial penalties. To avoid formal action, regulated entities should stay informed about privacy and security requirements, make privacy and security a priority, conduct risk analyses, train staff, ensure oversight and accountability and monitor security, McMillan writes.

Related Summaries