On January 17, 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued an omnibus final rule implementing various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule revises the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the interim final Breach Notification Rule. This will affect not only physician practices, but also their business associates who have access to protected health information (PHI) and even business associates’ subcontractors. Now is the time to make sure your agreements with business associates comply with these new rules.
Explore this issue:
May 2013Background
On February 17, 2009, President Barack Obama signed the American Recovery and Reinvestment Act of 2009 into law, which included the HITECH Act. The HITECH Act expanded the obligations of covered entities and business associates to protect the confidentiality and security of PHI.
Under HIPAA, covered entities may disclose PHI to business associates and permit business associates to create and receive PHI on behalf of the covered entity, subject to the terms of a business associate agreement between the parties. A “covered entity” is defined as a health plan, health care clearinghouse or health care provider (e.g., physician practice or hospital) that transmits health information electronically. In general, the HIPAA regulations have traditionally defined a “business associate” as a person (other than a member of the covered entity’s workforce) or entity who, on behalf of a covered entity, performs a function or activity involving the use or disclosure of PHI, such as the performance of financial, legal, actuarial, accounting, consulting, data aggregation, management, administrative or accreditation services to or for a covered entity.