Early last year, the Department of Health and Human Services issued final privacy and security  regulations (Final Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Final Rule, effective March 26, 2013, imposes significant responsibilities on covered entities and  their business associates, which include subcontractors of such business associates. A “covered entity”  is a health care provider, health plan, or health care clearinghouse that transmits certain information  electronically, such as claims or payment information. A “business associate” is any party that creates,  receives, maintains, or transmits protected health information (PHI) (as defined by HIPAA) in connection  with providing services to a covered entity. A business associate also includes any party that provides  consulting, management, administrative, or other services to a covered entity that involve the disclosure  of PHI from the covered entity. A covered entity typically has multiple business associates, which can  include professional advisors, medical directors, and cloud storage providers.

The Final Rule requires a review of existing business associate relationships and, to the extent  necessary, revisions of the related business associate agreements to incorporate the Final Rule’s  compliance and disclosure provisions by September 22, 2014.

Covered entities and business associates, including subcontractors, are encouraged to consult with their  legal advisors to review all business associate agreements as soon as possible to determine whether  they require revision to ensure compliance with the Final Rule.