This week, Barnes & Thornburg’s Health Law Blog is examining the impact of the recently released Health Insurance Portability and Accountability Act Omnibus final rule (HIPAA Final Rule) on business associates. The HIPAA Final Rule has retooled the definition and responsibilities of business associates. The Department of Health and Human Services (HHS) has made sweeping changes to: who is considered a business associate; the obligations of business associates and subcontractors; and potential business associate and subcontractor liability. This blog entry specifically examines the impact of HIPAA Final Rule on business associate agreements (BAAs).

In order to comply with the HIPAA Final Rule, BAAs between covered entities and business associates will require modification.  A BAA must now: (1) establish the permitted and required uses and disclosure of protected health information (PHI) by the business associate; (2) require the business associate to report any breaches of unsecured PHI to the covered entity; (3) ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate; and (4) require the business associate to comply with any and all other HIPAA rules and regulations with which the covered entity would have to comply to the extent that the business associate performs related obligations.  Specifically, the business associate will need to agree that it has technical, physical and administrative safeguards in place, and that it meets certain security standards.  Essentially, business associates will need to take administrative actions and physical measures to protect PHI, which will also involve having appropriate policies and procedures in place. Business associates, like covered entities, will now be directly accountable for following many provisions of HIPAA. Due to increased HIPAA enforcement and the expansion of liability to business associates and subcontractors, covered entities and business associates should consider the role of indemnification provisions.

The new HIPAA Final Rule also expands compliance and potential liability to subcontractors.  Therefore, business associates should examine their subcontractor relationships to ensure compliance with the HIPAA Final Rule, and specifically to consider whether a BAA is necessary.

HHS has provided a transition period for existing BAAs, if prior to Jan. 25, 2013, the BAA complied with HIPAA and the BAA is not renewed or modified between March 26, 2013 and Sept. 23, 2013.  If a BAA meets these requirements, it will be considered compliant until the earlier of: the date the BAA is renewed or modified after Sept. 23, 2013 or Sept. 22, 2014. Due to increased enforcement, covered entities and business associates should review their current BAAs and ensure that they are in compliance with HIPAA immediately prior to Jan. 25, 2013 if they wish to take advantage of this transition period.