professionals working with personal medical information face major compliance
obligations under the newest rules related to “protected health information”
(“PHI”). The Omnibus rules were issued by the Department of
Health and Human Services issued last January (the “Final Rule”).
The Final Rule
sets requirements and authorizes substantially increased penalties for
violations of HHS’ regulations under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the 2009 Health Information Technology
for Economic and Clinical Health (HITECH) Act. Particularly in light of those
increased penalties, HIPAA covered entities (health plans, health care
clearinghouses, and most health care providers) and their “business associates”
— which are now directly subject to HHS regulations — should be actively
reviewing their new responsibilities under the Final Rule.
The Final Rule’s
significant aspects relating to business associates are:
subcontractors (and sub-subcontractors, sub-sub-subcontractors, etc.) of
HIPAA business associates themselves “business associates” and thus
directly subject to most provisions of the HIPAA Privacy Rule, as well as
the HIPAA Security Rule and HHS’ Breach Notification Rule;
the “risk of harm” standard that HHS previously prescribed as a criterion
for determining when it is necessary to notify individuals about a breach
of security affecting their PHI; and
amendments to Notices of Privacy Practices, business associate agreements,
and a variety of policies and procedures entailed in complying with the
exceptions, compliance with the Final Rule’s provisions is required by
September 23, 2013.
The HHS has
compiled extensive information about the business associates at their WEBSITE .
includes a generic, sample agreement for business associates. The sight
warns that not all of the sample should be used and parts should be modified to
set the exact situation. This agreement is a good start for complying with the