Business Associates Must Comply with Ther HIPAA Contracts, Now!

Posted August 25, 2010 07:47 AM by Jack Anderson CEO Compliance Helper    

I am pleased to see that the law firms are coming to grips with the NPRM and putting out opinions that reflect the new world created therein.  It clearly states that if you have a business associate agreement in place HHS expects you to be compliant with the terms of that agreement, now.  As we all know many insurance carriers and payers sent out amended BA agreements in an attempt to shift liability to the BA.  Of course now the chain of responsibility extends down to the sub-contractor and everyone is liable if there is a breach.  Here is a more complete quote from this blog:

The Office for Civil Rights (OCR) of HHS issued a proposed rule setting forth modifications to the Privacy, Security and Enforcement rules issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The proposed rule implements the changes to HIPAA that are contained in the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). Key items under the proposed rule include the following:    

• Revising the definition of business associate to include patient safety organizations, health information organizations, E-prescription gateways, persons who facilitate data transmission, vendors of personal health information and subcontractors of a covered entity
• Amending the definition of protected health information (PHI) to provide that the privacy and security rules do not protect individually identifiable health information of persons who have been deceased for more than 50 years
• Defining electronic media to reflect the current National Institute of Standards and Technology definition, including intranets and voice technology digitally produced from information systems and transmitted by phones
• Amending the definition of workforce to clarify that the term includes employees, volunteers, trainees and other persons whose conduct in the performance of work for a business associate is under the direct control of the business associate
• Holding a business associate contractually liable, not only for improper uses and disclosures of PHI, but also for compliance with all other requirements of the Privacy Rule that pertain to the performance of the business associate's contract
• Requiring material changes to the notice of privacy practices, including a statement that describes the uses and disclosures of PHI that require an individual's authorization
• Providing that the noncompliance penalties could be imposed on covered entities and business associates for the acts of their agents, including workforce members and subcontractors acting within the scope of the agency

OCR proposes a 180-day period beyond the effective date of the final rule by which covered entities and business associates are expected to be in compliance with the proposed rule, unless otherwise specified. In addition, the proposed rule includes a one-year transition period for compliance with the business associate contract changes. The one-year period is in addition to the 180-day compliance period. Thus, covered entities and business associates have one year past the compliance date to renew or modify existing contracts to meet the new requirements. However, if contracts are renewed or modified following the compliance date or prior to the end of the one-year period, contracts would need to be compliant as of the time of the renewal or modification.