Business Associates Agreements and the New HIPAA Rule

The new Omnibus HIPAA rule went into effect on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013. Under some circumstances, covered entities and business associates will have up to one year following the compliance date to modify business associate agreements to be in accordance with the requirements of the final rule.

Under the final HIPAA rule, the public has increased protection and control of personal health information. The HIPAA Privacy and Security Rules originally focused on health care providers, health plans and other entities that process health insurance claims. The rule change expands many of the requirements to the business associates of these entities that receive protected health information (PHI), such as contractors and subcontractors. Some of the largest breaches reported to Health and Human Services have involved business associates. As part of the final rule, violations of the data security requirements could be much more costly. Pursuant to the original rule, penalties for data breaches could cost a minimum of $250,000 but under the new HIPAA omnibus rule, the penalties for noncompliance have been increased to $1.5 million per violation.

In light of this new rule, we should all be assessing our professional relationships and determine whether we are operating as a business associate or subcontractor of a business associate. Yes, law firms may be subject to the new requirements of the rule. If your organization creates, receives, maintains or transmits PHI, you are a business associate and should have an agreement in place. If you contract those activities to another organization, they may be a subcontractor and are included in the definition of a "business associate." You should be entering into business associate agreements with those subcontractors, as well.

Unfortunately, the new rule is not clear cut and the requirements are not easy to decipher. Until there are more case studies and possibly guidance from HHS, the best advice is to be conservative when analyzing your relationships and the policies you have in place. Do the self-assessment, make the policy changes and get educated!