The next HIPAA change: Business associates will have to comply directly

If your practice needs to comply with the Health Insurance Portability and Accountability Act (HIPAA), your business associates will have to comply with the HIPAA Privacy Rule and Security Rule effective February 17, 2010.

By Legal and Regulatory Affairs Staff

January 28, 2010 — If your practice needs to comply with the Health Insurance Portability and Accountability Act (HIPAA) and you have “business associates” as defined by this law, your business associates will have to comply with the HIPAA Privacy Rule and Security Rule effective February 17, 2010. A “business associate” is an organization or person outside of your practice to whom you send protected health information (PHI) so that they can provide services to you or on your behalf. Examples are: a billing service, accountant or collection agency. 

This significant expansion of HIPAA is the result of the Health Information Technology for Economic and Clinical Health (HITECH) Act passed by Congress in February 2009. 

In addition, we recommend that you amend any business associate contracts you may have, as discussed below.

Up to now, business associates have not been directly regulated under HIPAA because the law applied only to entities in the health care arena like health care providers and health insurers. To ensure that business associates handling PHI for covered entities did not compromise the privacy or security of that information, the Privacy and Security Rules required that covered entities have contracts with their business associates designed to protect PHI. These contracts are called “business associate contracts” or agreements.

The HITECH Act will change this approach by making the HIPAA Privacy Rule and Security Rule directly applicable to business associates effective on February 17. This means that the U.S. Department of Health and Human Services (HHS) can take enforcement action directly against a business associate that fails to comply with the Privacy or Security Rules.

Another change is that business associates will be required to take action if they find that the covered entity is violating HIPAA. If the business associate knows of a “pattern of activity or practice” by a covered entity that breaches their business associate contract, the business associate must fix the breach, terminate the business associate contract or report the noncompliance to HHS. (Previously, the only obligation was for the covered entity to monitor the business associate.)

Amending the business associate contract

The HITECH Act states that new security and privacy provisions in the law should be incorporated into business associate contracts. Some health care lawyers argue that covered entities should wait for HHS to issue new regulations regarding business associates, in case they contain new requirements for business associate contracts that would necessitate a second amendment. Others assert that amendments are superfluous as direct HIPAA regulation of business associates makes the contract unnecessary. 

We agree, however, with those health care lawyers who say that the conservative and safer approach would be to amend business associate contracts by the February 17 deadline.

An amendment that can be used to modify your existing business associate contracts is available to Practice Assessment payers on Practice Central. (Psychologists who need a business associate contract template can find one in the American Psychological Association Practice Organization’s Privacy Rule compliance product, HIPAA for Psychologists.

For more information, contact our Legal and Regulatory Affairs Department by e-mail or call (202) 336-5886.

PLEASE NOTE: Legal issues are complex and highly fact-specific and require legal expertise that cannot be provided by any single article. In addition, laws change over time and vary by jurisdiction. The information in this article should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.