The final revisions to the HIPAA Act, published in January 2013 in the Federal Register, were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH). The final HIPAA Act revisions became effective on March 26, 2013, with extensive changes that have a major impact on all covered firms and their Business Associate Agreements (BAA).
The rather broad term of business associates was expanded to include the following categories:
-
Health Information entities
-
Third-party health record vendors
-
Organizations involved with health and health care information
-
Firms involved in the transmission, maintenance, and routine accessibility of Protected Health Information PHI data
-
Electronic prescribing gateways used by pharmacies and physicians
-
Business associate subcontractors
-
The direct compliance liability under the Rules for Business Associates involving certain HIPAA Privacy and Security Rule requirements
New Guidelines Regarding Subcontractors
A timeline for compliance by covered entities with the provisions set forth in the new Rules was September 23, 2013. It includes the following:
One new requirement requires that all business associates must enter into agreements, known as BAA's, with all of their subcontractors who may create, receive, and/or transmit PHI for their organizations. BAA’s must be updated to include the PHI requirements and new obligations imposed by the final rule so that they fully understand the new changes.
The changes affect a number of areas including policies and procedures, security standards, physical safeguards, technical safeguards, PHI disclosures, administrative safeguards, and all organizational requirements. On September 25, 2013, all PHI disclosures become subject to the new restrictions on the sale of PHI.
Final Deadline
The changes call for all covered entities to bring all of their Business Associate Agreements (“BAAs”) and their covered subcontractors into compliance with the new Rules by September 22, 2014.
