July 17, 2013
On Jan. 17, 2013, the U.S. Department of Health and Human Services (HHS) released the Omnibus Final Rule pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Final Rule makes significant changes to the privacy and security obligations of covered entities and their business associates with respect to patients’ protected health information (PHI). Covered entities and business associates are required to come into full compliance with the Final Rule by Sept. 23, 2013.
One of the more burdensome compliance tasks necessitated by the Final Rule is ensuring that all business associate agreements (BAAs) meet the updated requirements. In general, providers must enter into new BAAs or modify existing BAAs by Sept. 23, 2013. However, existing BAAs that (i) were entered into on or before Jan. 25, 2013; (ii) meet the requirements that were applicable prior to the promulgation of the Final Rule; and (iii) were not modified after March 26, 2013, do not have to be updated until Sept. 23, 2014. To the extent that an entity anticipates relying on this grandfathering exception, we recommend ensuring that existing agreements are compliant with the old rules. Otherwise, the exception will not apply.
Entities will also need to evaluate whether the new definition of “business associate” creates additional business associate relationships. The Final Rule contains a number of modifications and clarifications that are significant for defining who qualifies as a business associate of a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). In the Final Rule, HHS (i) clarifies that data storage providers that maintain PHI on behalf of covered entities or business associates on a long-term basis qualify as business associates under HIPAA; and (ii) expands the definition of business associate to include subcontractors of business associates. Accordingly, covered entities and business associates should ensure that they have entered into a compliant BAA with any cloud storage provider to which they have entrusted patient data. All downstream vendors with access to PHI must sign a compliant BAA, no matter how many vendors are interposed between the covered entity and the downstream vendor.
The following are recommended next steps for updating BAAs:
Please contact the authors for more information about business associate agreements, the Final Rule or HIPAA compliance generally.