On January 17, 2013 the Dept. of Health and Human services (HHS) released a new final rule which made significant changes in various parts of the HIPAA/HITECH rules. As most readers know the pressures of protecting patients’ “protected health information” (PHI) are continually escalating. In some respects the new rule relieves the Covered Entities from some of those pressure.
How? By expanding the rule to make Business Associates, and their “sub-contractors” directly liable for ensuring the proper measures of security are in place to protect PHI. Naturally, the 563 page final rule has numerous topics and issues for the entire industry. But, in the short-term we need to call attention to the fact that essentially Business Associates must get assurances from their subcontractors! What assurances? Basically, assurances that the subcontractors (those who have “access” to PHI held by the Business Associate) will comply with the regulations and rules surrounding the use/disclosure/transmittal of PHI.
How about an example to clarify this:
A law firm (lets call them Firm) is a business associate of a covered entity (lets call them Agency).
So Firm and Agency have a business associate agreement (BAA) in place, and they have had it in place for years, because both Firm and Agency are doing their best to be compliant.
Prior to this new final rule, Firm had a responsibility to Agency to safeguard Agency’s PHI through the various requirements of the BAA. There was no “rule” requiring Firm to set up subsequent BAA’s with its subcontractors.
Now the new final rule requires Firm to set up BAA’s with its subcontractors.
Which subcontractors does Firm need to do this with?
Simply put, anyone the Firm has hired as subcontractor if that subcontractor has access to PHI kept by the Firm. The new rule has published various comments about how expansive this requirement is, but boiled down to the bare essence of the matter, if the subcontractor has access to PHI there needs to be a BAA in place between Firm and subcontractor.
A prime example would be the Firm’s IT contractor. If Firm has hired someone (not an “in-house” employee) to manage its server and the Firm’s server has PHI, then the IT contractor access to PHI (assuming Firm has stored some PHI from Agency on its server).
Hopefully that plain “bare-essentials” example helped clarify this issue.
Quite notably, a short part of the new rule echos what is written above, it states:
“The Department also believes that the privacy and security protections for an
individual’s personal health information and associated liability for noncompliance with
the Rules should not lapse beyond any particular business associate that is a
subcontractor. Thus, under the final rule, covered entities must ensure that they obtain
satisfactory assurances required by the Rules from their business associates, and business
associates must do the same with regard to subcontractors, and so on, no matter how far
“down the chain” the information flows.”
This new final rule will become effective on March 26, 2013. Covered entities and business associates must comply with the rules by September 23, 2013. We will continue to review and examine the 563-page final rule we will continue to post relevant updates accordingly.
For anyone interested the pdf document of the new final rule can be accessed by clicking here.