HIPAA: Business Associates and Business Associate Agreements

Health care
professionals working with personal medical information face major compliance
obligations under the newest rules related to “protected health information
(“PHI”).  The Omnibus rules were issued by the Department of
Health and Human Services issued last January (the “Final Rule”).

The Final Rule
sets requirements and authorizes substantially increased penalties for
violations of HHS’ regulations under the Health Insurance Portability and
Accountability Act of 1996
(HIPAA) and the 2009 Health Information Technology
for Economic and Clinical Health
(HITECH) Act. Particularly in light of those
increased penalties, HIPAA covered entities (health plans, health care
clearinghouses, and most health care providers) and their “business associates”
— which are now directly subject to HHS regulations — should be actively
reviewing their new responsibilities under the Final Rule.

The Final Rule’s
significant aspects relating to business associates are:


  • Make
    subcontractors (and sub-subcontractors, sub-sub-subcontractors, etc.) of
    HIPAA business associates themselves “business associates” and thus
    directly subject to most provisions of the HIPAA Privacy Rule, as well as
    the HIPAA Security Rule and HHS’ Breach Notification Rule;
  • Eliminate
    the “risk of harm” standard that HHS previously prescribed as a criterion
    for determining when it is necessary to notify individuals about a breach
    of security affecting their PHI; and
  • Require
    amendments to Notices of Privacy Practices, business associate agreements,
    and a variety of policies and procedures entailed in complying with the
    Privacy Rule.

With limited
exceptions, compliance with the Final Rule’s provisions is required by
September 23, 2013.

The HHS has
compiled extensive information about the business associates at their WEBSITE .

The site
includes a generic, sample agreement for business associates.  The sight
warns that not all of the sample should be used and parts should be modified to
set the exact situation. This agreement is a good start for complying with the

 By Matthew L. Kinley, Esq