The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a “business associate” of a “covered entity”, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later in this post regarding the expansion of the “business associate” definition). Among other changes, the Omnibus Rule requires a covered entity and business associate to revise their business associate agreement (BAA) to reflect the business associate’s new obligations. All BAAs signed after January 24, 2013 should already include new language necessary to comply with the Omnibus Rule. BAAs that were signed on or before January 24, 2013 were deemed compliant until September 22, 2014; however, if renewed or modified before that date then they must be brought into actual compliance at that time. Covered entities and business associates must ensure that all BAAs are compliant with the Omnibus Rule before the September 22, 2014 deadline.
Under the Omnibus Rule, BAAs must be revised to reflect changes to HIPAA that resulted from passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). For example, BAAs must now contain provisions requiring business associates to notify a covered entity of any data breaches. For additional details about these new requirements, including links to sample provisions posted by the Department of Health & Human Services’ Office for Civil Rights (OCR), please see our March 3, 2013 article entitled “Sample BAA Provisions“. These new requirements will need to be reflected in BAAs between the covered entity and the business associate as well as in agreements between a business associate and its subcontractor.
Moreover, the Omnibus Rule revised the core definition of “business associates” to specifically include, among others, those who: a) create, receive, maintain, or transmit protected health information (PHI) for a function or activity regulated by HIPAA (e.g., claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, certain patient safety activities, billing, benefit management, practice management, repricing); or b) provide legal, actuarial, accounting, consulting, certain data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where the provision of the service involves the disclosure of PHI from such covered entity to the business associate.
The Omnibus Rule clarified that the category of “business associates” had been expanded by adding provisions to specifically include: a) Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such protected health information; b) a person that offers a personal health record; and c) a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate. The Omnibus Rule, however, excludes certain activities including, among others, a “health care provider” (as defined by HIPAA), with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual. For the full definition of “business associate”, see 45 C.F.R. 160.103.
The Omnibus Rule also places responsibilities on downstream contractors of the business associate, which means business associates must now enter into similar BAAs with their subcontractors who access PHI. Covered entities should verify that they have identified all of their business associates and business associates should verify that they have identified their subcontractors who are business associates. Check out the Workgroup for Electronic Data Interchange’s (WEDI) decision tree to help decide who is a business associate. Covered entities should enter into compliant BAAs with any newly identified business associates or with existing business associates before the September 22, 2014 deadline.