Introduction. Generally, under HIPAA, a health plan-including a multiemployer health plan-may disclose protected health information (“PHI”) to a business associate only if the plan and the business associate meet several requirements, including the entering of a “business associate agreement” between them. This agreement must reflect the requirements of the HIPAA regulations.
The U.S. Health and Human Services Department (the “HHS”) issued, on January 25, 2013, final regulations modifying a number of requirements under HIPAA. These modifications changed some of the requirements for the business associate agreement, so that the plan and business associate are required modify their agreement.
Changes to the Business Associate Agreements. The changes to the requirements for business associate agreements in the final regulations cause the agreements to reflect the following:
1) If the health plan delegates any of its obligations under the HIPAA Privacy Rule to the business associate, then the business associate must comply with the Privacy Rule when carrying out the obligations.
2) The business associate must comply with the HIPAA Security Standards for electronic PHI.
3) The business associate is required to report to the plan any breaches of unsecured PHI, in addition to any security incidents.
4) The business associate is required to enter into an agreement with each of its subcontractors that create or receive PHI for or from the business associate, and this agreement must be substantially similar to the business associate agreement with the plan (a “subcontractor agreement”).
Due Date for Revised Business Associate and Subcontractor Agreements. The plan and the business associate were generally required to revise their business associate agreement to reflect the above changes by September 23, 2013. However, a transitional deadline has been available if the plan and business associate had a business associate agreement which:
— was in place prior to January 25, 2013,
–complied-prior to January 25, 2013- with the HIPAA regulations in effect as of such date, and
–is not renewed or modified from March 26, 2013, until September 23, 2013.
If the transitional deadline applied to a business associate agreement, then such agreement need not be revised to reflect the changes in the regulations until the earlier of: (1) the date on which such agreement is renewed or modified on or after September 23, 2013 or (2) September 22, 2014.
The same regular and transitional deadline apply to subcontractor agreements.
Bottom Line: The revisions to all business associate agreements must be completed and executed by this coming September 22.