Early last year, the Department of Health and Human Services issued final privacy and security regulations (Final Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Final Rule, effective March 26, 2013, imposes significant responsibilities on covered entities and their business associates, which include subcontractors of such business associates. A “covered entity” is a health care provider, health plan, or health care clearinghouse that transmits certain information electronically, such as claims or payment information. A “business associate” is any party that creates, receives, maintains, or transmits protected health information (PHI) (as defined by HIPAA) in connection with providing services to a covered entity. A business associate also includes any party that provides consulting, management, administrative, or other services to a covered entity that involve the disclosure of PHI from the covered entity. A covered entity typically has multiple business associates, which can include professional advisors, medical directors, and cloud storage providers.
The Final Rule requires a review of existing business associate relationships and, to the extent necessary, revisions of the related business associate agreements to incorporate the Final Rule’s compliance and disclosure provisions by September 22, 2014.
Covered entities and business associates, including subcontractors, are encouraged to consult with their legal advisors to review all business associate agreements as soon as possible to determine whether they require revision to ensure compliance with the Final Rule.