On January 25, 2013, the Department of Health and Human Services/Office for Civil Rights (HHS/OCR) published in the Federal Register (78 Fed. Reg. 5566) the long-awaited final rule titled Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules (Omnibus Final Rule).  The rule becomes effective March 26, 2013 and compliance is required by September 23, 2013.

The omnibus rule finalized several significant changes relating to Business Associates:

1.  Expansion of the definition of who is a business associate to include subcontractors of a business associate that create, receive, maintain or transmit protected health information (PHI) for the business associate.  The term Business Associate will now also include health information organizations, e-prescribing gateways, and other persons that provide PHI data transmission services to a covered entity.

2.  Direct liability for violations of the HIPAA Security Rule and for uses and disclosures of PHI in violation of the HIPAA Privacy Rule.

3.  Maintenance and submission of compliance reports to HHS, notifying covered entities of a breach of unsecured PHI.  This requirement also applies to Business Associates’ subcontractors, and now requires the subcontractors enter into Business Asociate Agreements (BAA) with the business associate.;

4.  BAAs between covered entities and business associates must now require that the business associate comply with the Security Rule requirements and report to covered entities breaches of unsecured PHI.  The final rule grandfathers existing business associate agreements until September 22, 2014 to provide covered entities and business associates time to revise the agreements. However, all relevant entities must comply with the news standards regarding uses and disclosures of PHI by September 23, 2013.

Next Steps

A Covered entity must determine if it shares PHI with any of the types of entities that have now been deemed to be business associates.  Covered entities must also review existing BAAs for compliance with the new requirements.  Business associates must identify which of their subcontractors create, receive, maintain or transmit PHI on behalf of the business associate, and enter into appropriate BAAs with those companies.  Given the increased liability imposed by the omnibus final rule, all participants in the “business associate agreement chain” should take this opportunity to review their legal risks related to PHI, including their compliance and contracting strategies.

See the Akerman Practice Update  HIPAA Omnibus Final Rule Imposes New Obligations on Business Associates for more information on how the omnibus final rule will affect business associates.