As we reported earlier this year, the Department of Health and Human Services ("HHS") issued final regulations requiring changes to a covered entity's HIPAA privacy and security policies and procedures, notices of privacy practices and business associate agreements. The compliance deadline is September 23, 2013.
Background
One of the most sweeping changes in the final HIPAA regulations relates to business associates. The final regulations broadened the definition of "business associate" and directly applied many of the privacy rules and all of the security rules to business associates. In general, any service provider that creates, receives, maintains or transmits protected health information of behalf of a covered entity is a business associate. Any of the following providers can now constitute a business associate of a covered entity: consultants, advisors, lawyers, accountants, actuaries, software vendors, data transmission services, shredding services, and records storage services (paper or electronic).
Moreover, the regulations clarify subcontractors of business associates that create, receive, maintain or transmit protected health information on behalf of a business associate are also business associates. To illustrate, third party administrator (TPA) is the record keeper for a self-funded health plan, TPA is a business associate of the health plan; therefore, health plan must have a business associate agreement in place with TPA. TPA contracts with claims processor (CP) to process claims. CP is a subcontractor of TPA and is also a business associate. Therefore, TPA must have a business associate agreement in place with CP. CP contracts with individual physicians on a case-by-case basis to evaluate claims. These individual physicians are subcontractors of CP and are business associates. CP therefore must have a business associate agreement in place with each individual physician. Note that the group health plan is not required to (and should not) enter into a business associate agreement with the downstream business associates (i.e., CP and the individual physicians).
As mentioned earlier, the final regulations require business associates to comply with all of the HIPAA security rules and certain privacy requirements. What this means is that HHS now has the authority to enforce these HIPAA requirements directly against business associates. HHS can audit, investigate complaints, and impose penalties against business associates.
Actions
Group health plans (as covered entities) should take the following steps immediately in order to comply with the final regulation's sweeping changes by September 23, 2013:
1. Evaluate all services providers to ensure all business associates have been identified.
2. Enter into / update business associate agreements.
3. Update Notice of Privacy Practices.
4. Adopt / update Privacy and Security policies and procedures.
If a business associate agreement was in place before the final regulations were published (i.e., January 25, 2013) and complied with the HIPAA requirements as of then, and the business associate agreement is not renewed or modified between March 26, 2013 and September 23, 2013, then the business associate agreement does not have to be updated until the earlier of: (1) the date the business associate agreement is renewed or modified on or after September 23, 2013 or (2) September 22, 2014.
For more information on the impact of the final HIPAA regulations, please contact a member of the Benefits Law Group.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author(s). This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.