Business Associates and HIPAA Final Rule Compliance Date

Submitted by: Martha Somers, Administrator of Information Technologies

At the beginning of the year, the Office for Civil Rights (OCR) of the Department of Health and Human Services published new regulations that extend the privacy and security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The new regulations often referred to as “The Final Rule” became effective March 26, 2013 with compliance required by September 23, 2013.
The Final Rule extends to the companies that do business with the healthcare industry, otherwise known as “business associate”.  A business associate is an individual or organization acting on behalf of a HIPAA covered entity that creates, receives, maintains, or transmits protected health information (PHI) in connection with a function or activity regulated by HIPAA. Business associates include a wide range of companies, including those providing certain software products, electronic health records, cloud computing services, outsourcing services, data centers and claims processing.
When the Final Rule takes effect, business associates and their subcontractors will be responsible, along with the covered entities they serve, for health data breaches and HIPAA non-compliance issues. The responsibility of a business associate has been raised to almost that of a covered entity.
Business associates had privacy and security obligations under their contractual agreements with covered entities before but under the HIPAA Final Rule, business associates will now have obligations for how they can use and disclose PHI on behalf of a covered entity and they are responsible for having their own policies and procedures. They potentially could face investigations and hefty financial penalties from the Department of Health and Human Services for noncompliance.
A business associate agreement that is compliant with pre-Final Rule HIPAA requirements need not be amended, if it is not renewed or modified until September 23, 2014; but new business associate agreements entered into after January 25, 2013 must contain the newly required provisions by September 23.

Back to Articles