The U.S. Department of Health and Human Services (HHS) published the HIPAA final omnibus rule (Final Rule) on January 25, 2013. The Final Rule deals with required changes for medical practices and other health care providers that HHS determined are necessary to secure protected health information (PHI). As a result of the Final Rule, many health care providers must update existing business associate agreements, revise existing notices of privacy practice, and require some business associates’ subcontractors to execute business associate agreements. For many medical practices and health care businesses, this process may be a tedious undertaking and, therefore, should begin promptly. The deadline for compliance is September 23, 2013.
A “business associate” is a person or entity that acts on behalf of or provides services to a health care provider (a “covered entity”) who, by doing so, obtains access to PHI. The purpose of a business associate agreement is to ensure business associates will appropriately safeguard PHI and limit permissible uses and disclosures of PHI, to protect patient privacy and related purposes advanced by HIPAA. A business associate is directly liable under HIPAA and subject to civil (and potentially criminal) penalties for data breaches and other violations of HIPAA.
The Final Rule is published in the Federal Register (78 FR 5565) and is 523 pages. Under the Final Rule, a “business associate” includes a broader scope of entities. “Business associate” now includes subcontractors and entities that create, receive, maintain, or transmit PHI. How this change will impact particular situations may require determinations on an ad hoc basis. All physicians, physician groups, other health care providers, and health care businesses, should promptly marshal their existing business associate agreements for review and analysis to determine which agreements must be changed to comply with the Final Rule. Additionally, all business arrangements need to be inventoried and reviewed for a determination as to whether the relationship necessitates a business associate agreement under the Final Rule. For every business arrangement that will require a new business associate agreement, the business associate should be contacted now regarding the requirement of a business associate agreement.
Sample business associate agreements are readily available on HHS’ website. Unfortunately, there is no one-size-fits-all template for business associate agreements. Although a standard form agreement will work properly for many business relationships, that is not always the case. As HHS advises on its website concerning its own template business associate agreement, “[t]he language may be changed to more accurately reflect business arrangements between a covered entity and a business associate or business associate and subcontractor. . . . Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.” Although a form business associate agreement can be useful, it is a mistake to blindly rely on form provisions and assume they adequately address every unique business associate relationship. Providers should consider, for example, whether a particular relationship calls for indemnification provisions to protect the provider in the event of a HIPAA violation by a business associate. Fines and penalties for HIPAA violations can be very significant.
The Law Offices of Kevin S. Little PC is a business law firm focused on representing physicians and health care businesses with regard to many unique legal issues they confront in today’s health care business environment, such as regulatory compliance. We have offices in midtown Atlanta (404-685-1662) and downtown Augusta, Georgia (706-722-7886).
*Disclaimer: Thoughts shared here do not constitute legal advice.