Issued at the beginning of 2013, HIPAA’s Omnibus Rule makes important changes to the definition and responsibilities of business associates, and although the rule stipulates that businesses have until late September to become compliant, practices with existing business associate agreements may be able to have that deadline extended for up to a year.
So what are the changes that were put in place by the new rule? Well, before the rule was issued in January, business associates were defined as those individuals or entities who, while not a member of the covered entity’s workforce, worked in the interests of that covered entity to: create, receive or transmit protected health information (PHI); or provide legal, accounting, consulting or other services. Under the new rule, the word “maintain” has been added to ensure the inclusion of data storage companies, such as those companies that act as repositories for Meaningful Use and PQRS data. The new rule also includes health information (HI) organizations and prescription gateways that facilitate the transmission of PHI to or on behalf of a covered entity and other entities that capture and access PHI on a regular basis.
The “conduit exception,” designed to protect couriers such as the United States Postal Service, Federal Express or similar entities and exclude them from liability, still applies under the new rule. Under both the old and new rule, a “conduit” is any business that transports information without accessing it except on an infrequent basis.
In addition, under the new rule, “subcontractors” are also covered under the new definition of business associate. A subcontractor, as defined by the new rule, is any individual or entity that performs a delegated activity or service on behalf of a business associate without being a member of the associate’s workforce. The definition also includes subcontractors of subcontractors – that is, individuals or entities contracted by the subcontractor to perform the original task or a portion of that task.
That’s what the new rule does define as a business associate. Now, what or who is not defined as a business associate under the new rule?
In general, business associates are not:
- A health care provider, when the health care provider is being consulted regarding the course of care for an individual patient;
- A government agency, when information is being used to determine eligibility for a government plan; or
- A covered entity that is taking part in an organized health care arrangement that creates, receives, maintains, or transmits PHI in order to facilitate or fulfill recordkeeping or other administrative tasks or similar responsibilities on behalf of the organized arrangement.
In addition, Personal Health Record (PHR) vendors may or may not be considered business associates, depending upon their specific role. For example, when a vendor offers PHRs directly to an individual, it is not considered a business associate; however, when it offers PHRs to individuals on behalf of a covered entity, it is considered a business associate and is considered liable under the new rule.
As with the previous rule, covered entities are required to enter into business associate agreements (BAAs) with associates, and associates must enter into BAAs with their subcontractors, in order to provide assurance that the associate or subcontractor understands privacy requirements and will comply with those requirements. In addition, the BAA must now include verbiage indicating that the associate will adhere to the Security Rule with regard to electronic PHI, that they will report breaches of unsecured PHI to covered entities and that they will make sure any subcontractors they use agree to the same regulations and restrictions regarding PHI.
Sound complicated? While the changes implemented by the new rule are not substantial, understanding and complying with them is critical to remain in compliance and avoid costly penalties. To see these rules in action, take a look at the sample BAA provided at the U.S. Dept. of Health and Human Services (HHS) website .