Business Associate Agreements – HIPAA/HITECH Amendments – Are You Prepared?

On January 17, 2013 the US Department of Health & Human Services (HHS) issued the long-anticipated final rule describing the privacy and security requirements for covered entities under the Health Insurance Portability and Accountability Act (HIPAA), as required by the Health Information Technology for Economic and Clinic Health (HITECH) Act.  The new final HIPAA Privacy and Security Rule has been described as containing the most sweeping changes to HIPAA since the law was implemented.  The Amendments become effective on March 26, 2013 and compliance is generally required by September 23, 2013.

Business Associates are partners and vendors as well as a subcontractor that create, receive, maintain or transmit Protected Health Information (PHI) on behalf of the Business Associate. One of the changes includes expansion of the “Business Associate” to include their subcontractors handling Protected Health Information (PHI). As a result, any recipient of a delegated task that involves the creation, receipt, maintenance or transmission of protected health information is defined as a Business Associate regardless of whether a covered entity or other Business Associate delegated the task. Business Associates are now directly subject to HIPAA with respect to the Rule.

Under the new rule, Business Associates of covered entities are directly liable for compliance with HIPAA requirements and must enter into written Business Associate agreements. Each covered entity should review their existing Business Associate Agreements to assure the new language is included and meets the rule requirements. While covered entities are not required to have written Business Associate agreements with subcontractors used by their Business Associates, the Business Associates are required to enter into written agreements with their subcontractors. –Lisa Coleman

Comments Off