Pierce & Mandell, P.C.

11 Beacon Street, Suite 800
Boston, Massachusetts 02108-3002

Phone: (617) 720-2444
Fax: (617) 720-3693

Health and Dental Law

RSS Grab Health and Dental Law RSS Feed

UPDATING BUSINESS ASSOCIATE AGREEMENTS TO COMPLY WITH NEW HIPAA CHANGES - Boston

William M. Mandell - Monday, July 01, 2013

The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information.  This blog is another in a series examining these new regulatory requirements.   

By Dean P. Nicastro, Esq.

The new HIPAA Final Rule for Privacy, Security, Enforcement and Breach Notification (adopted in January 2013) creates new obligations for Business Associate Agreements (“BAA”) between physicians, hospitals and other health care providers (“Covered Entities”), and those contractors who perform services for them involving the use or disclosure of Protected Health Information (“PHI”).

As was mentioned in a previous blog, HIPAA now defines “Business Associate” (“BA”) to include a BA’s subcontractors who create, receive, maintain or transmit PHI on the BA’ behalf.  The new Final Rule goes on to require that a BAA between a Covered Entity and its BA must require the BA to ensure that the BA’s subcontractors comply with HIPAA privacy and security requirements.  Effectively, and as a mandate, this means that the Covered Entity’s BA must have in place a separate BAA with the BA’s subcontractor.

HIPAA makes clear that the Covered Entity need not have a BAA in place directly with the BA’s subcontractor. However, the Final Rule puts the burden on the Covered Entity to arrange for subcontractor compliance, by requiring the BA to obtain compliance assurance from its subcontractor.  Thus, HIPAA BAA’s between health care providers and their servicing vendors need to be revised and updated to include these “downstream” subcontractor compliance obligations.

Care should be exercised when drafting the updating revisions: for example, the main BAA should require that the downstream BAA mirror the BA’s privacy and security obligations; additionally, it may be advisable to expressly disavow any relationship of agency between the Covered Entity and the subcontractor.

Finally, when updating a BAA template, it would be helpful to include language of compliance with Massachusetts law and regulations that protect the security and disposal of data that contains personal information, like names and social security or financial account numbers.  Massachusetts consumer regulations require that a service provider contract be in place with vendors who access such data, so it is a good idea to have the HIPAA BAA serve as such a contract as well.  

In general, the HIPAA Final Rule must be complied with by September 23, 2013.  The federal HHS Office of Civil Rights has posted some helpful sample language for BAAs on its website.

Please contact the health law professionals at Pierce & Mandell for additional information on this subject.

CMS and OIG Propose to Amend Stark and Anti-Kickback Rules for EHR Donations

William M. Mandell - Wednesday, May 01, 2013
By Dean P. Nicastro

Last month, the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General of the U.S. Department of Health and Human Services (OIG) proposed similar amendments to the Stark exception and to the Anti-Kickback safe harbor for the donation of electronic health records (EHR).  The current rules permit hospitals, group practices and other entities to donate technology-related items and services to physicians, to be used to create, maintain, transmit or receive EHR.  Highlights of the proposed changes:

  • Eliminate the requirement that EHR must include an electronic prescribing component or interface ability
  • Change the procedure for deeming EHR software “interoperable,” so as to follow the current certification process employed by the Office of National Coordinator for Health Information Technology (ONC); and eliminate the 12-month prior timeframe for certification
  • Postpone the EHR sunset from December 31, 2013 to December 31, 2016

The two agencies believe that “sufficient alternative policy drivers” exist to advance electronic prescribing, and that the ONC certification program (which certifies to any edition of EHR certification criteria that is identified in the regulatory definition applicable at time of donation) is consistent with the objective of ensuring that EHR products are certified to the current standard of interoperability when they are donated.  In addition, the sunset extension is thought needed in order to help achieve more widespread adoption of EHR in the healthcare industry (the December 31, 2016 date corresponds with the closing timetable for Medicare/Medicaid EHR incentive programs; the agencies even suggest an extension to December 31, 2021).

The agencies have invited comment on the proposed amendments through June 10, 2013.  Also, they seek comment on whether to limit the class of permitted donors, so as to exclude certain ancillary suppliers, such as lab companies, durable medical equipment suppliers and independent home health agencies, and on other suggestions for preventing “data and referral lock-in” and for encouraging the free exchange of data.

The proposed changes are contained in the April 10, 2013 Federal Register.  Please contact the health law professionals at Pierce & Mandell for additional information on this subject.


Enter your e-mail address below to receive updates on new blog posts!


Recent Posts


Archive


Tags